Infosec veteran Troy Hunt of HaveIBeenPwned fame is notifying thousands of people after phishers scooped up his Mailchimp mailing list.

He said the list comprises around 16,000 records and every active subscriber will be receiving a notification and apology email soon. Around half of these records (7,535), however, pertain to individuals who had unsubscribed from the list.

Hunt questioned why Mailchimp retained data on unsubscribed users and said he would investigate whether it was a configuration issue on his end. The Register has asked Mailchimp for comment.

A jet-lagged Hunt offered his apologies to those affected, saying he’s “enormously frustrated with myself for having fallen for this.”

The phish itself, he said, was “very well crafted,” although he admitted his tiredness played a huge role in its success.

Hunt blogged about the incident immediately, providing screenshots of the phishing email he received, which does have a more authentic look about it than many others flying around these days.

The email employed the classic time pressure to urge would-be victims to act fast. In this case, the email told Hunt he would be unable to blast his subscribers with updates until he logged into his account and reviewed his campaigns following a spam complaint.

This created “just the right amount of urgency,” Hunt said. Not too much so that it seemed overtly suspicious, but enough to demand a fast response.

He followed the link, entered his credentials and one-time passcode (OTP), watching as the page “hung” – or became unresponsive. Moments later he realized what happened and went to change his password in his account, but received an email from Mailchimp notifying him that the mailing list had successfully been exported.

The time between handing over his credentials and the list being exported was less than two minutes, suggesting the attack was automated rather than specifically targeted at him.

“Ironically, I’m in London visiting government partners, and I spent a couple of hours with the National Cyber Security Centre yesterday talking about how we can better promote passkeys, in part due to their phishing-resistant nature,” he blogged on Tuesday morning.

Mailchimp doesn’t offer phishing-resistant two-factor authentication (2FA) methods such as hardware security keys or passkeys, opting either for OTPs delivered through an authenticator app or by SMS.

“By no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it’s entered,” said Hunt.

He added that the API key created as part of the fraudulent login was deleted, eliminating any persistent access to his account.

Hunt also said that users of password managers should keep an eye out for whether credentials auto-fill on websites, since not doing so could be an indicator of a phishing site. 

However, this isn’t a catch-all protection because there are various websites that use different domains for authentication. Hunt pointed to his Qantas account as one example where the qantas.com.au website authenticates from accounts.qantas.com.

He also alluded to the idea that some blame should also fall on Outlook’s iOS app, which rendered the phishing email’s fraudulent sender name as ‘MailChimp Account Services.’ Aside from the erroneous styling of the Mailchimp brand, it crucially didn’t reveal the domain behind it (hr@group-f.be) – the more obvious indicator of fraudulence as it has no ties to Mailchimp’s infrastructure.

The domain used to host the credential-nabbing page (mailchimp-sso.com) has since been taken down by Cloudflare, just over two hours after Hunt’s credentials were stolen. ®