Have I Been Pwned: Project operator Troy Hunt pwned

Troy Hunt, operator of the Have-I-Been-Pwned (HIBP) service, was the victim of a phishing attack and thus "pwned" himself. As a result, 16,627 email addresses from the mailing list for the newsletter for Troy's personal blog were leaked into unauthorized hands.

In a blog post, Hunt explains how the incident could have happened. After all, the operator of the largest publicly accessible data leak checking service should, as expected, be particularly resistant to phishing. However, the explanation as to why things turned out differently is as simple as expected: Hunt was really tired, suffered from jet lag and was therefore a little slow in his thinking, he explains there.

Phishing successful: Urgent problem, problematic email ad

Hunt was traveling in London when he received an email claiming that his sending rights to the mailing list service Mailchimp had been restricted due to complaints about spam being sent. He followed the link in the email, landed on "mailchimp-sso.com" and entered his login details, which were not automatically filled in by his password manager 1Password. However, after entering his OTP from the Authenticator app, the page got stuck – and then the penny dropped: Hunt logged into the official Mailchimp website, and a confirmation email from Mailchimp notified him of his London IP address being used on the service.

He immediately changed his password when he received another notification email informing him of the export of mailing list addresses from an IP in New York. Almost simultaneously, an email arrived informing him of a log-in from the New York IP address. Hunt discusses that it was apparently a highly automated attack to export the list immediately before a victim can take countermeasures. The copied data included the email address, IP addresses and geographic location. It also included addresses of previously subscribed newsletter recipients who had already unsubscribed. However, this is due to Mailchimp: the provider does not automatically delete the addresses, but merely marks them as "unsubscribed"; mailing list users have to remove them manually.

Hunt is contrite and frustrated to have fallen for this phish. He also discusses other points that have facilitated the success of the malicious actors. For example, Mailchimp allows second-factor protection, which is less phishing-proof than passkeys. In addition, Outlook only displays the specified name as the sender of an email instead of the complete and clearly false email address itself. In the meantime, the domain has also ended up in Google's Safe Browsing database, causing web browsers to warn of the danger.

To demonstrate transparency in the best sense of the word, Hunt has now added its Mailchimp mailing list to the HIBP database. Anyone who is or was registered on its mailing list should exercise increased caution when receiving emails with this type of reference: Phishers can misuse data origin information for personalized and customized attacks.

(dmk)