HaveIBeenPwned is a website that allows users to check whether their data has been involved in data breaches. The website’s creator, Troy Hunt, was the subject of a phishing attack earlier this week. The attack was unrelated to the HaveIBeenPwned website and compromised Hunt’s personal Mailchimp account.

According to Hunt, he received an email purporting to be from Mailchimp regarding a flag on his account. When he clicked the “Review Account” button, he was taken to a fake Mailchimp domain. Hunt notes in a blog post that he manually entered his credentials and that they did not auto-populate from his password management application as they usually would.

Hunt received and entered a one-time password and was taken to a hung page. Now suspicious, he then reportedly logged into the legitimate Mailchimp site and changed his password, but the phishing attack was likely an automated process. Within minutes, Hunt had already received notification emails from Mailchimp regarding login activity and list exports from another unknown IP address. Hunt noted that the list included approximately 16,000 records, including current and former blog subscribers.

Below is the screenshot shared on Hunt’s blog:

Our conception is that a typical phishing email tends to be poorly worded, involves an unusual payment request, and is a blatantly implausible email. However, this incident demonstrates that phishing attacks are becoming increasingly sophisticated and can happen to anyone.

Takeaways:

1. Sense of urgency can be subtle – As bad actors become more sophisticated, not all phishing emails will create an unbelievable sense of urgency, such as asking users to update their payment or billing information to unlock an account. In Hunt’s case, he acknowledged that the notification created “just the right amount of urgency without being over the top.” Any email from an organization or person creating a sense of urgency warrants pause and contemplation before clicking or performing any action.
2. Circumvention of password manager could be a sign – Password managers are designed to autofill credentials on known websites. Hunt realized that his credentials did not populate into the fake Mailchimp site, which, in hindsight, was a potential sign of unusual activity. If a site that typically remembers your credentials requests them, this might be (though it is not always) a sign of a spoofed domain.
3. One-time passwords are not foolproof – Although multi-factor authentication provides enhanced security over using only usernames and passwords, one-time passwords cannot protect against such automated phishing attacks because once the user enters the one-time password onto the spoofed site, the bad actor now has access to the legitimate account.
4. Passkeys are more phishing-resistant – A passkey is a password replacement, where a digital credential tied to a user’s account allows them to authenticate into the account. Passkeys rely on biometrics or swipe patterns to sign users into accounts. Passkeys cannot be stolen as easily as passwords because they require the bad actor to have access to users’ biometrics or swipe patterns, which is not readily accessible.

No single tip or trick can help prevent phishing attacks, but remaining vigilant and enacting certain security measures can minimize the chances of becoming subject to such social engineering schemes.