Renowned cybersecurity expert Troy Hunt became the latest victim of a sophisticated phishing scam targeting his Mailchimp newsletter service, resulting in the exposure of approximately 16,000 subscriber records.
Hunt, who runs the popular data breach notification service "Have I Been Pwned," received a deceptive email claiming his Mailchimp account had been flagged for spam complaints. The message threatened service suspension unless immediate action was taken.
Despite his extensive experience identifying phishing attempts, Hunt clicked the malicious link while experiencing jet lag. The scammers successfully obtained his credentials and exported his blog's mailing list, which contained both current and former subscriber information.
The compromised data included email addresses, subscription status, IP addresses, and general location coordinates. Of the 16,000 affected records, 7,535 belonged to previously unsubscribed readers.
Taking swift action, Hunt published a detailed disclosure just 34 minutes after discovering the breach. He immediately changed his password, contacted Mailchimp to revoke the attacker's access, and verified the phishing website was taken offline.
"I'm enormously frustrated with myself for having fallen for this, and I apologise to anyone on that list," Hunt wrote in his transparent account of the incident.
In a notable move demonstrating accountability, Hunt added his own breach to the Have I Been Pwned database. Affected subscribers are being notified and advised to remain vigilant against potential follow-up scam attempts using their exposed information.
The incident serves as a powerful reminder that even security professionals can fall prey to well-crafted phishing attacks, especially under less-than-ideal circumstances. Hunt's rapid and transparent response sets a strong example for responsible breach disclosure in the cybersecurity community.