In a twist that’s catching the attention of the cybersecurity world, even the experts aren’t immune to deception. Troy Hunt, renowned for creating Have I Been Pwned and serving as a Microsoft Regional Director—publicly revealed that he recently fell victim to a phishing attack. The result? A full export of his Mailchimp mailing list, impacting roughly 16,000 email records.
Known for his weekly blogs on cybersecurity and his popular data breach monitoring platform, Hunt has long advocated for online safety. But during a recent trip, a moment of vulnerability led to what he called a “very well-crafted phish.”
The Deceptive Email That Triggered the Attack in Troy Hunt
The phishing attempt came in the form of an official-looking message from what appeared to be Mailchimp. It warned that his account’s sending privileges had been restricted following a spam complaint. To regain access, the attackers prompted Hunt to review his campaigns and audience data—pushing just the right buttons to create a sense of urgency without triggering suspicion.
The link provided led him to a fake login page hosted on a domain called mailchimp-sso.com. Hunt admitted that while logging in, something felt slightly off—his password manager, 1Password, didn’t auto-fill his credentials. But being jetlagged and distracted while traveling, he didn’t catch the red flags in time. After entering his details and a one-time password, the page froze. That’s when he realized the trap.
Moments later, he rushed to the real Mailchimp website and received a notification confirming what had just occurred. Although he quickly changed his password, the attackers had already used an IP address in New York to export the full mailing list.
Reflecting on the breach in a blog post, Hunt outlined how the attackers used social engineering to trick him. It wasn’t the usual over-the-top phishing email. Instead, it was subtle and convincing, sparking just enough concern to cloud his judgment.
“What got me,” he explained, “was that it didn’t yell at me to act immediately. It just nudged me into believing my newsletter was at risk. That was enough to act without thinking.”
One subtle red flag was the lack of autofill from his password manager—something he now says should have stopped him. But in the moment, that detail didn’t seem strange enough to pause.
One surprising revelation was that the exported data didn’t just include current subscribers—it also contained emails of people who had previously unsubscribed. That’s because Mailchimp, for reasons not made clear, continues to retain unsubscribed email addresses. Hunt is now asking Mailchimp for clarification on how long it stores user data and why it doesn’t permanently delete unsubscribed contacts by default.
Fortunately, Mailchimp restored access to Hunt’s account and the newsletter is back up and running. But the incident sheds light on how sophisticated phishing has become—and how everyone, even seasoned cybersecurity professionals, can fall victim.
This incident is a wake-up call for anyone who still believes phishing attacks are easy to spot. Gone are the days when suspicious emails were full of bad grammar and obvious threats. Today’s attackers craft believable, targeted messages that exploit emotional responses—like fear, inconvenience, or urgency.
What’s more alarming is how even layered defenses like multifactor authentication (MFA) can be circumvented when attackers intercept OTPs in real-time using cloned pages.
The fake domain used in Hunt’s case—mailchimp-sso.com—was eventually taken down by Cloudflare, but not before the damage was done. The entire episode underscores how quickly cybercriminals move, and how critical it is to stay vigilant at all times.
For both IT professionals and everyday users, the takeaway is clear: Don’t let your guard down, even for a moment. Use trusted password managers, question unexpected login prompts, double-check suspicious URLs, and make sure multi-factor authentication is in place.
As phishing techniques become more refined, cybersecurity awareness is no longer optional—it’s essential.
