![Lowest Prices Ever: Apple Pencil Pro Just $79.99, USB-C Pencil Only $49.99 [Deal]](https://www.iclarified.com/images/news/96863/96863/96863-640.jpg)
![Apple Releases iOS 18.4 RC 2 and iPadOS 18.4 RC 2 to Developers [Download]](https://www.iclarified.com/images/news/96860/96860/96860-640.jpg)
![What Google Messages features are rolling out [March 2025]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2023/12/google-messages-name-cover.png?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[The AI Show Episode 141]: Road to AGI (and Beyond) #1 — The AI Timeline is Accelerating](https://www.marketingaiinstitute.com/hubfs/ep%20141.1.png)
![[The AI Show Episode 140]: New AGI Warnings, OpenAI Suggests Government Policy, Sam Altman Teases Creative Writing Model, Claude Web Search & Apple’s AI Woes](https://www.marketingaiinstitute.com/hubfs/ep%20140%20cover.png)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![From broke musician to working dev. How college drop-out Ryan Furrer taught himself to code [Podcast #166]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743189826063/2080cde4-6fc0-46fb-b98d-b3d59841e8c4.png?#)
![[FREE EBOOKS] The Ultimate Linux Shell Scripting Guide, Artificial Intelligence for Cybersecurity & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.png?#)
![Mini Review: Rendering Ranger: R2 [Rewind] (Switch) - A Novel Run 'N' Gun/Shooter Hybrid That's Finally Affordable](https://images.nintendolife.com/0e9d68643dde0/large.jpg?#)
Security expert Troy Hunt hit by phishing attack
Tory Hunt, security expert and Have I Been Pwned owner, disclosed a phishing attack against him in a commendable display of transparency.
Internet security expert and educator Troy Hunt disclosed this week that he had been hit by one of the oldest—and most proven—scams in the online world: A phishing attack.
Through an automated attack disguised as a notice from Hunt’s chosen newsletter provider Mailchimp, scammers stole roughly 16,000 records belonging to current and past subscribers of Hunt’s blog. As such, readers should be the lookout for any scams or phishing attempts in the coming weeks.
“I’m enormously frustrated with myself for having fallen for this, and I apologise to anyone on that list,” Hunt wrote.
But Hunt’s immediate disclosure of the attack should be commended. By publishing a transparent blog that detailed the phish just 34 minutes after falling for it, Hunt used himself as the strongest example yet that online scams can hit anyone, and that, while shame and embarrassment are common, no one should ever feel alone in their experience.
What happened?
On March 25, Hunt received a malicious email disguised as a legitimate notice from the company Mailchimp, which he uses to email his blog entries to subscribed readers. The email claimed that Mailchimp was temporarily cutting service to Hunt because his blog had allegedly received a spam complaint.
“Your account has been flagged due to a spam complaint, and as a result, you are temporarily unable to send emails until this issue is resolved,” the email read. To fix the issue, Hunt was asked to sign into his Mailchimp account.
The phishing email was convincingly designed, and it threatened consequences if its recipient failed to act. But, as Hunt said, “I’ve received a gazillion similar phishes before that I’ve identified early,” so another simple factor was at play: Timing.
“You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow?” Hunt wrote. “That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog.”
Hunt also noticed that, when he tried to log into his Mailchimp account by following the phishing email’s link, his password manager did not auto-fill his account details.
While a password manager’s refusal to auto-fill credentials on a website can indicate that the website itself might be illegitimate, it’s far from a guaranteed red flag. As Hunt said, “there are so many services where you’ve registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain.”
In the phishing attack, the scammers stole about 16,000 records belonging to people who had both subscribed and unsubscribed to Hunt’s blog. This is because Mailchimp preserves data of users who unsubscribe, a storage practice that Hunt is currently investigating with the company. Of the 16,000 records, 7,535 email addresses were of readers who unsubscribed. All breach victims are being notified over time, Hunt said.
The stolen records included email addresses, subscription statuses, and IP addresses, along with latitude and longitude data, which, as Hunt later learned, “do not pinpoint the location of the subscriber.”
After recognizing his mistake, Hunt changed his password, reached out to Mailchimp to help delete the scammer’s API key, and then verified that the website he was directed to in the phishing attack had been taken offline.
And, importantly, as the owner of the website Have I Been Pwned (HIBP), which helps people search whether they’ve been involved in a data breach, Hunt had one more data breach to add to the website’s collection: His own.
“When I have conversations with breached companies, my messaging is crystal clear: be transparent and expeditious in your reporting of the incident and prioritise communicating with your customers,” Hunt said. “Me doing anything less than that would be hypocritical, including how I then handle the data from the breach, namely adding it to HIBP.”
Best practice
Responsible data breach disclosures are so rare that they deserve some news coverage, and Malwarebytes is happy to see that Hunt used himself as an example during a stressful and difficult incident. Phishing attacks are common because they’re effective, and that includes against new device owners users, longtime web users, and literal security experts.
For readers impacted in the attack, stay mindful for any phishing attempts that might hit your inbox, using your Have I Been Pwned subscription as a lure. There is no shame in falling for a scam, but it’s better to avoid one before it even happens.
