Renowned Cybersecurity Expert Troy Hunt Targeted by Phishing Attack
TL;DR
Renowned cybersecurity expert Troy Hunt recently fell victim to a phishing attack, resulting in the theft of approximately 16,000 subscriber records from his Mailchimp mailing list. Hunt’s transparent and rapid disclosure of the incident underscores the importance of vigilance and the potential for anyone to be targeted by such scams.
Main Content
Internet security expert and educator Troy Hunt recently disclosed that he had been targeted by one of the oldest and most effective online scams: a phishing attack.
Through an automated attack disguised as a notice from Hunt’s chosen newsletter provider Mailchimp, scammers stole roughly 16,000 records belonging to current and past subscribers of Hunt’s blog. Readers should be vigilant for any potential scams or phishing attempts in the coming weeks.
“I’m enormously frustrated with myself for having fallen for this, and I apologize to anyone on that list,” Hunt wrote.
However, Hunt’s immediate disclosure of the attack is commendable. By publishing a transparent blog detailing the phish just 34 minutes after falling for it, Hunt demonstrated that online scams can hit anyone. While shame and embarrassment are common, no one should ever feel alone in their experience.
What Happened?
On March 25, Hunt received a malicious email disguised as a legitimate notice from Mailchimp, which he uses to email his blog entries to subscribed readers. The email claimed that Mailchimp was temporarily cutting service to Hunt because his blog had allegedly received a spam complaint.
“Your account has been flagged due to a spam complaint, and as a result, you are temporarily unable to send emails until this issue is resolved,” the email read. To fix the issue, Hunt was asked to sign into his Mailchimp account.
The phishing email was convincingly designed and threatened consequences if its recipient failed to act. However, Hunt noted, “I’ve received a gazillion similar phishes before that I’ve identified early,” indicating that another factor was at play: timing.
“You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow?” Hunt wrote. “That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog.”
Hunt also noticed that when he tried to log into his Mailchimp account by following the phishing email’s link, his password manager did not auto-fill his account details.
While a password manager’s refusal to auto-fill credentials on a website can indicate that the website itself might be illegitimate, it’s far from a guaranteed red flag. As Hunt said, “There are so many services where you’ve registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain.”
In the phishing attack, the scammers stole about 16,000 records belonging to people who had both subscribed and unsubscribed to Hunt’s blog. This is because Mailchimp preserves data of users who unsubscribe, a storage practice that Hunt is currently investigating with the company. Of the 16,000 records, 7,535 email addresses were of readers who unsubscribed. All breach victims are being notified over time, Hunt said.
The stolen records included email addresses, subscription statuses, and IP addresses, along with latitude and longitude data, which, as Hunt later learned, “do not pinpoint the location of the subscriber.”
After recognizing his mistake, Hunt changed his password, reached out to Mailchimp to help delete the scammer’s API key, and then verified that the website he was directed to in the phishing attack had been taken offline.
And, importantly, as the owner of the website Have I Been Pwned (HIBP), which helps people search whether they’ve been involved in a data breach, Hunt had one more data breach to add to the website’s collection: His own.
“When I have conversations with breached companies, my messaging is crystal clear: be transparent and expeditious in your reporting of the incident and prioritize communicating with your customers,” Hunt said. “Me doing anything less than that would be hypocritical, including how I then handle the data from the breach, namely adding it to HIBP.”
Best Practice
Responsible data breach disclosures are so rare that they deserve some news coverage, and Malwarebytes is happy to see that Hunt used himself as an example during a stressful and difficult incident. Phishing attacks are common because they’re effective, and that includes against new device owners, longtime web users, and literal security experts.
For readers impacted in the attack, stay mindful for any phishing attempts that might hit your inbox, using your Have I Been Pwned subscription as a lure. There is no shame in falling for a scam, but it’s better to avoid one before it even happens.
For more details, visit the full article: source
Conclusion
Troy Hunt’s experience serves as a stark reminder that even the most vigilant individuals can fall victim to phishing attacks. His transparent and prompt disclosure sets a positive example for handling data breaches, emphasizing the importance of open communication and swift action in mitigating the impact of such incidents.