do son 
Image: Troy Hunt
Real-world incidents remind us that even cybersecurity experts are not immune to online deception. This time, the case involves Troy Hunt, the renowned security specialist and creator of the popular breach notification service, HaveIBeenPwned.com.
Hunt, widely respected in the infosec community, was among the first to compile breach data from the dark web into a searchable platform. Users can simply enter their email or username on the HIBP website to check whether their credentials have appeared in known data leaks.
The phishing campaign that targeted him was meticulously crafted. Hunt uses Mailchimp, an email subscription service, to communicate with over 16,000 subscribers. Hackers impersonated Mailchimp and sent him a convincing phishing email.
The message claimed that Mailchimp had received spam complaints related to his personal blog’s mailing list, resulting in restrictions on his ability to send emails. Jetlagged and fatigued while in London, Hunt failed to scrutinize the sender’s details before clicking the embedded link. The spoofed site prompted him to enter his login credentials and 2FA code. Although he noticed that 1Password did not autofill the login fields—a red flag—he manually typed in his credentials and copied the two-factor code from the password manager.
Behind the scenes, the attackers used automation. As soon as the credentials and 2FA token were submitted, a bot logged into Mailchimp and generated an API export of the entire subscriber list, including unsubscribed users.
Fortunately, the impact of the breach was minimal. The incident did not affect HaveIBeenPwned’s data, but subscribers to Hunt’s blog may now be at risk of receiving phishing emails impersonating him.
Roughly two hours and fifteen minutes after the compromise, Cloudflare appears to have flagged and taken down the phishing site (hxxp://mailchimp-sso.com). Hunt also manually reported the domain to Google, and Chrome subsequently began blocking access to the malicious site.
Like most sophisticated phishing operations, the attackers hijacked the email account of a Belgian cleaning company to distribute the phishing email. Such domains tend to have high reputational trust, reducing the likelihood of spam filters intercepting the message.
This serves as a cautionary tale: never click links in unsolicited emails without verifying the sender’s domain. Even then, it’s easy to be deceived—some attackers use legitimate-looking domains and third-party email services to mask their intentions.
