The attackers managed to outsmart Troy Hunt, the creator of the website HaveIBeenPwned, who clicked on a malicious link in an email due to exhaustion after a trip. He assures that the data of millions of HaveIBeenPwned users was not affected by his mistake.
The attackers managed to outsmart Troy Hunt, the creator of the website HaveIBeenPwned, who clicked on a malicious link in an email due to exhaustion after a trip. He assures that the data of millions of HaveIBeenPwned users was not affected by his mistake.
HaveIBeenPwned is a website that allows users to check if their personal information has been compromised in a data breach. The site is widely recognized as a valuable resource for protecting security and privacy.
The project was created by security expert Troy Hunt on December 4, 2013. As of June 2019, the HaveIBeenPwned website was visited by over 160,000 users daily. It also has nearly 3 million active email subscribers and contains records of nearly 8 billion accounts.
«You know when you feel really jet-lagged and tired and the cogs in your head are turning a little slower? That’s exactly what happened to me, and it just came to light that a Mailchimp phishing attack stole my credentials, logged into my account, and exported the mailing list for this blog», — Troy Hunt recently reported on his personal website.
It finally happened — I got phished. Impact is limited to the Mailchimp mailing list for my blog, brief blog post with details here and more to come later: https://t.co/AMIfmvAwYJ
— Troy Hunt (@troyhunt) March 25, 2025
According to him, the attacker only managed to obtain data from users who subscribed to his personal blog, not the HaveIBeenPwned website.
«I am extremely disappointed to have been caught up in this, and I apologize to everyone on this list», — he said.
Hunt later revealed that the attack affected about 16,000 email addresses. It was carried out through a phishing email that purported to come from his email provider, Mailchimp. The phishing email claimed that Mailchimp had received a spam complaint and had been forced to limit the «sending rights» of Hunt’s account, which was linked to his personal blog.
Troy Hunt clicked on a phishing link in an email, which forced him to enter his credentials and a one-time password on a hacker-controlled login page. But he quickly realized something was wrong when the login process «froze.»
Hunt changed the password to his real Mailchimp account, but it was too late: the hacker had hacked his account and exported his mailing list, suggesting the entire attack was automated. The expert added that 7,535 users who unsubscribed from his blog were also trapped in the hack because Mailchimp was unable to delete their emails.
Although the Australian expert had received and repelled «a gazillion similar phishing attacks,» he explained that this particular phishing email caught him off guard as he was exhausted from his trip to London.
«Fatigue was a major factor. I wasn’t paying enough attention and didn’t think through what I was doing. The attacker couldn’t have known (I have no reason to suspect that the attack was directed at me), but we all have moments of weakness, and if a phishing attack took advantage of that moment, well, there we have it», — Troy Hunt explained.
