Troy Hunt (troy hunt), a prominent computer security expert, known for his information protection courses, the creation of the “have I been pwned?” compromised password checker, and his role as a regional director at Microsoft, recently disclosed details of a security breach involving his own mailing list. This incident serves as a stark reminder that even cybersecurity professionals can fall victim to phishing attacks under certain circumstances.
Troy received an email purportedly from Mailchimp, informing him of a suspension on his mailing list and requesting certain verification checks. Upon clicking the link in the email, Troy unwittingly entered his Mailchimp account credentials on a fake page, unwittingly granting attackers access to the subscriber base of his mailing list. The breach resulted in the exposure of Email and IP addresses of 16,627 subscribers, including 7,535 addresses of users who had previously unsubscribed from the list, yet were still retained by Mailchimp’s system.
Troy publicly addressed his mistake by detailing the incident on his blog and also reported the breach on his service hasibeenpwned.com. He explained that a combination of factors contributed to his oversight – fatigue from travel, jetlag, and the timing of reading the email when his guard was down.
Furthermore, the initial viewing of the email on his iPhone’s Outlook mail client only displayed the sender’s name and not the email address. When he later opened the email on his computer, the sender’s address “[email protected]” did not immediately raise suspicion. The email, designed to resemble a standard Mailchimp message, raised concerns about spam complaints and prompted Troy to take action to unlock his newsletter sending capabilities.
Unfortunately, the malicious link led to a fake Mailchimp website (mailchimp-so.com), where Troy unknowingly entered his authentication details, allowing attackers to exploit the API and extract sensitive information. Despite attempts to rectify the situation upon realizing the scam, the damage had already been done.