Key Takeaways:
- Troy Hunt fell for a well-crafted MailChimp phishing scam.
- Hackers managed to steal around 16,000 email records within minutes.
- The exported list included records of unsubscribed users, due to MailChimp’s data retention policies.
Even cybersecurity experts aren’t immune to sophisticated phishing attacks—just ask Troy Hunt, the creator of “Have I Been Pwned,” who recently fell victim to a cleverly disguised MailChimp scam. Hackers tricked him into handing over credentials, leading to the compromise of 16,000 email records in under two minutes.
What happened?
In his blog post “A Sneaky Phish Just Grabbed My Mailchimp Mailing List,” Hunt described how he fell for a fake “Sending Privileged Restricted” notification. The email urged him to check his account through a link, which led to a fraudulent login page. After entering his credentials and one-time passcode (OTP), the page froze—only then did he realize he had been phished.
“I went to the link which is on mailchimp-sso.com and entered my credentials which — crucially — did not auto-complete from 1Password,” Hunt wrote in the blog post. “I then entered the OTP [one-time password] and the page hung. Moments later, the penny dropped, and I logged onto the official website, which Mailchimp confirmed via a notification email.”
At that moment, Hunt realized his mistake, quickly changed his password, and reviewed his account activity. In less than two minutes, hackers had already accessed and exported around 16,000 records from an IP address in New York.
Hunt admitted he fell for the phishing attack due to several factors. He had just returned from a long flight and was exhausted from jet lag. Additionally, he noted that the phish was exceptionally well-crafted.
“It socially engineered me into believing I wouldn’t be able to send out my newsletter so it triggered ‘fear,’ but it wasn’t all bells and whistles about something terrible happening if I didn’t take immediate action,” Hunt added.
Hunt has already added the compromised email addresses to the Have I Been Pwned database. Unfortunately, the list includes individuals who had previously unsubscribed from the newsletter, as Mailchimp—for unknown reasons—does not delete these addresses from its system.
Hunt criticizes Mailchimp’s data security practices amid breach
Hunt strongly criticized Mailchimp for its poor data security practices. The platform does not offer phishing-resistant two-factor authentication (2FA) options like passkeys or hardware security keys, relying instead on OTPs via an authenticator app or SMS. Additionally, Mailchimp retains the email addresses of unsubscribed users, raising further privacy concerns.
Cloudflare has since taken down the domain (mailchimp-sso.com) used to host the phishing page that stole Hunt’s credentials. The company acted quickly, completing the takedown within two hours to prevent further damage.