March 25, 2025 Troy Hunt, renowned information security expert and founder of HaveIBeenPwned, has reported a phishing attack that compromised his Mailchimp account, leading to the exposure of approximately 16,000 email subscribers’ information.
The breach affected both active subscribers and around 7,535 individuals who had previously unsubscribed. Hunt expressed frustration over Mailchimp’s retention of unsubscribed users’ data and is investigating whether this was due to a configuration issue on his part.
Hunt noted that he was jet lagged when he got the phishing email which was crafted to create a sense of urgency, prompting hun to log into a fraudulent page where he entered his credentials and a one-time passcode. He did realize the deception moments later, and he attempted to secure his account but in that few minutes, the mailing list had already been exported, the automated attack was executed within two minutes.
Hunt highlighted the limitations of traditional two-factor authentication (2FA) methods, noting that Mailchimp does not support phishing-resistant options like hardware security keys or passkeys. He emphasized that while 2FA via one-time passcodes offers some security, it remains vulnerable to automated phishing attacks that can relay these codes in real-time.
Hunt also expressed his frustration at Outlook’s iOS app, which put the email sender name as MailChimp Account Services hiding the doman hr@group-f.be that would have given it away as a fake.
While we can parse this in hindsight and look for the things that Hunt should have caught, the real lesson is that if someone this well trained can fall victim to a phishing attack, all of us are vulnerable.
We also have to give Hunt credit for blogging about this immediately, providing screenshots and a full disclosure. That can’t have been an easy thing to do.
