This morning, I received a Have I Been Pwned (HIBP) alert about my email address showing up in a breach labeled “Troy Hunt’s Mailchimp List.” My first reaction was disbelief. Troy Hunt – the renowned cybersecurity expert behind HIBP – had just fallen for a phishing scam. It wasn’t a hoax, and it wasn’t some obscure company losing control of its data. This was a respected security researcher, with deep expertise in phishing prevention, acknowledging that he had been successfully targeted.
And it’s exactly this that makes the story so important.
Hunt shared the details in a personal blog post, walking readers through how the attack unfolded. He was traveling, jet-lagged, and not fully alert when a well-crafted phishing email posing as a legitimate Mailchimp login page landed in his inbox. He clicked through, entered his credentials, and even supplied the one-time passcode (OTP) from his authenticator app. The page stalled. Moments later, the realization set in.
Within minutes, the attacker used those credentials to log in and export Hunt’s full mailing list – around 16,000 email addresses, including IP addresses, and metadata. That’s how I got the notification: my email was among them.
If someone with Troy Hunt’s security experience and threat awareness can fall for a phishing attack, anyone can. He even noted that his password manager, 1Password, didn’t auto-fill on the fake login page – a red flag he normally would have caught. But in a moment of tiredness, the alert signals didn't register. That’s exactly what phishing scams exploit: timing, urgency, and psychological manipulation.
In Hunt’s case, the email claimed his Mailchimp account sending privileges were suspended due to a spam complaint; a scary situation for any of us who relies on email to communicate with our audiences. But, as Hunt, explains, “it wasn't all bells and whistles about something terrible happening if I didn't take immediate action. It created just the right amount of urgency without being over the top.” Just enough of a push to act, but not enough to raise alarms. This kind of social engineering isn’t amateurish – it’s carefully calculated to slip past our defenses when we’re not at our best.
Read More: Beware of the New Gmail Scams That Are Fooling Security Pros
The Limits of Two-Factor Authentication
Another uncomfortable takeaway: not all forms of two-factor authentication (2FA) offer the same level of protection. In Hunt’s case, he was using an authenticator app to generate time-based one-time passcodes, a step above SMS-based 2FA, which can be intercepted through SIM-swapping or text message hijacking. But even authenticator apps are still vulnerable in phishing scenarios – especially real-time phishing attacks like the one Hunt fell for.
Here’s how it played out: after entering his credentials on the spoofed Mailchimp login page, he was prompted for his 2FA code. He opened his authenticator app, entered the code, and hit submit. That code was instantly relayed to the attacker, who had a script or automated system standing by to use it immediately. Within seconds, Hunt received alerts showing that his account had been accessed and the mailing list exported – all before he could take action.
That’s the core weakness of these common 2FA methods: they rely on something the user sees and then types in, which can be intercepted and reused almost instantly.
A better approach is passkeys, which use public key cryptography and are phishing-resistant by design. With passkeys, there’s no code to type and nothing for an attacker to intercept. Authentication is tied to your device – whether it’s your phone, computer, or hardware key – and can only be completed through a secure, local process such as Face ID, fingerprint scan, or device PIN. Passkeys also verify the domain you're logging into, so even if you click on a phishing link, the authentication simply won't complete if the domain doesn’t match the original.
Read More: The Worst Passwords of 2024: Are You Guilty of Using One?
Mailchimp doesn’t currently offer passkeys as a login option. It only supports 2FA via SMS or authenticator apps – both of which, as Hunt’s experience illustrates, can be defeated with a sophisticated phish.
The Big Takeaways
The lesson here is simple: vigilance matters. Use a password manager and don’t ignore it when it doesn’t auto-fill. Scrutinize the domain of any site requesting credentials. And push for services to adopt phishing-resistant 2FA methods – because SMS and app-based codes can be intercepted with the right phishing setup.
Most of all, know that falling for a scam doesn’t make you stupid. It makes you human. As Hunt put it, even he – someone who educates others about these very scams – felt the same shame and frustration he often hears from scam victims.
For those affected by the breach, Hunt has committed to further updates and is working with Mailchimp on follow-up steps.
[Image credit: Techlicious/DALLE]
