Even the most prepared could have technological safety problems, as the individual who knows more about password theft than anyone else in the world recently had his password stolen. Troy Hunt, project leader of Have I Been Pwned, was the victim of a phishing attack that obtained subscriber data. Troy Hunt has been alerting us to the risks of password theft for years. It occurred so frequently that he ultimately turned those cautions into Have I Been Pwned, a project that has since become a standard. However, despite everything he knows, he just fell for the most popular type of credential theft: a phishing email.
This is how Troy Hunt suffered a phishing attack that ended up compromising subscriber data
Troy Hunt described in his blog how he was duped by a cleverly constructed phishing email that purported to be from Mailchimp, the company he uses to send out his newsletter. He was told in the notice that his sending privileges on the service will be limited due to a spam complaint. But there was a button with a link that he could click to fix it. According to this expert, I’ve always been able to quickly recognize the numerous similar messages that I’ve gotten, but there was one crucial element that went against him: the time at which he received and read them. Moreover, Troy Hunt didn’t realize something wasn’t right because he was jet-lagged and exhausted when he got the message.
Following the link’s click, Troy Hunt also observed that his password manager was not automatically filling in his account information (passwords and usernames, normally). He noted that many platforms register you to one domain (which keeps the password manager) and then authenticate you to another, which could have been a sign that the domain from which those credentials were being asked was questionable. The phishing attack caused the attackers to steal 16,000 records that belonged to people who subscribed but also had already unsubscribed from their newsletter. Mailchimp keeps those records for a reason. Included in that data are email addresses, IPs, and latitude and longitude data that do not, however, point to the subscriber’s location.
As required, the owner of the Have I Been Pwned website ultimately added the theft of his data to the database he uses on this platform. Not doing so “would have been hypocritical,” as he noted in his blog. Additionally, he was wise enough to inform others of what had happened to him immediately. Phishing attempts typically exploit the fact that they are always crafted with an urgent tone or message. They try to warn you that horrible things could happen to you if you don’t act. This is the exact reason why you should aim to remain calm and collected throughout these communications rather than acting impulsively or without thinking. That is most likely the most important lesson to be learned from this incident.
Passkeys, which use secure biometrics, are a way to help us avoid this specific issue, but traditional passwords are still susceptible to phishing attacks. However, if we trust a passkey provider (like Google or Apple, for instance), they are unquestionably a vital element to add a major layer of security, as has been the case up to this point with two-factor authentication (2FA). Their implementation is, of course, rather diverse.
What can people learn about the phishing that happened to Troy Hunt?
In the ever-changing world of digital security, where even the most watchful can become victims of sophisticated phishing attempts, this incident serves as a warning. Additionally, the event highlights how crucial strong security measures are for both individuals and companies. The online community needs to consider the wider ramifications of such security lapses as Hunt gets ready to inform his subscribers about the hack.
Data breaches like this one can have a domino effect on the businesses tasked with protecting sensitive data as well as the impacted individuals. The situation’s seriousness grows as additional online platforms encounter comparable difficulties, calling for a continuous discussion about security procedures and consumer protection in a world growing more interconnected by the day.
