https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list
Renowned cybersecurity expert Troy Hunt has fallen victim to a sophisticated phishing attack that compromised his Mailchimp account and led to the unauthorized export of his blog’s entire mailing list of approximately 16,000 subscribers.
In a transparent blog post, Hunt detailed how he received what appeared to be a legitimate email from Mailchimp warning about unusual login activity. While suffering from jet lag in London, he clicked the link which directed him to a convincing but fraudulent site at “mailchimp-sso.com” where he entered his credentials and a one-time password. The attack was highly automated, with the hackers immediately exporting his subscriber list before he could take preventative action.
“I’m enormously frustrated with myself for having fallen for this, and I apologise to anyone on that list,” Hunt wrote. He noted that despite having identified numerous similar phishing attempts in the past, a combination of fatigue and a well-crafted email that triggered fear without seeming overly urgent led to his momentary lapse in judgment.
The breach exposed subscriber email addresses along with additional data Mailchimp automatically collects, including IP addresses and approximate geolocation information. Hunt expressed particular concern that the export included 7,535 email addresses of people who had previously unsubscribed from his newsletter, questioning why Mailchimp retains this information.
As the founder of “Have I Been Pwned,” a service that alerts users when their information appears in data breaches, Hunt promptly added the compromised data to his own database and has notified affected individuals. He also immediately changed his Mailchimp password and deleted an API key created by the attackers.
Hunt highlighted that the incident reinforces the importance of phishing-resistant authentication methods like passkeys, noting the irony that he had been discussing this very topic with the UK’s National Cyber Security Centre just before falling victim to the attack. In response, he has registered “whynopasskeys.com” to build awareness about services that don’t support unphishable second factors.
The phishing site was taken down by Cloudflare approximately two hours after Hunt fell victim to it. Hunt is in communication with Mailchimp regarding the incident and has asked them about their roadmap for implementing passkeys and their policy on retaining unsubscribed user data.