When Even Security Experts Get Phished: Troy Hunt’s Wake-Up Call for Houston Businesses

  The Incident: A Security Expert Falls Victim

On March 25, 2025, Troy Hunt—the cybersecurity researcher behind the popular “Have I Been Pwned?” data breach notification site—admitted to falling victim to a phishing attack. The incident didn’t impact his Have I Been Pwned service, but it did expose the email addresses of subscribers to his personal blog.

In his blog post titled “A Sneaky Phish Just Grabbed my Mailchimp Mailing List,” Hunt described how he received an email purportedly from email marketing platform Mailchimp falsely claiming that his account had been restricted due to a spam complaint. The email created “just the right amount of urgency without being over the top,” making Hunt believe he wouldn’t be able to send out his newsletter.

  How the Attack Unfolded

The phishing attack was sophisticated and followed a classic pattern:

1. Hunt received an email claiming to be from Mailchimp stating his account had been restricted due to a spam complaint
2. The email prompted him to enter his login details on a fake site posing as Mailchimp (mailchimp-sso.com)
3. Hunt entered his credentials, which did not auto-complete from his password manager 1Password
4. He then submitted a one-time passcode to the fake site
5. The attackers immediately used his credentials to access his genuine Mailchimp account

Hunt, by his own admission, was traveling and somewhat jet-lagged, with the “cogs in his head moving that little bit too slow.” He quickly realized his mistake and changed his login details, but not before the attackers had exported a mailing list containing more than 16,000 email addresses, including both current and unsubscribed blog subscribers.

  Key Lessons From The Incident

Hunt publicly acknowledged that the attack highlighted several important security considerations:

1. The limitations of passwords and traditional two-factor authentication (2FA) in preventing sophisticated phishing attacks
2. The need for more sites to adopt phishing-resistant authentication methods
3. The ineffectiveness of one-time passwords (OTP) against automated phishing attacks

“By no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it’s entered,” Hunt concluded.

Other key takeaways from the incident include:

1. A sense of urgency in emails, even subtle ones, warrants pause before clicking
2. When a password manager doesn’t auto-fill credentials on a known website, it could be a sign of a spoofed domain
3. One-time passwords provide enhanced security but cannot protect against automated phishing attacks

  Why Passkeys Are A Better Solution

Hunt advocated for passkeys, a modern alternative to passwords that relies on cryptographic secrets stored on registered devices. Passkeys are more phishing-resistant because they rely on biometrics or swipe patterns to sign users into accounts. They cannot be stolen as easily as passwords because they require the bad actor to have access to users’ biometrics or swipe patterns, which is not readily accessible.

The incident inspired Hunt to register “whynopasskeys.com” to build pressure on services that don’t support unphishable second factors. He noted that “today’s phish could not have happened against accounts using a phishing resistant second factor.”

 How CinchOps Can Help Secure Your Business

In light of Troy Hunt’s experience, it’s clear that traditional security measures aren’t enough to protect against sophisticated phishing attacks. CinchOps can help secure your business by:

1. Implementing phishing-resistant authentication solutions including passkey technology
2. Providing comprehensive security awareness training that recognizes anyone can fall victim
3. Setting up advanced email filtering and protection systems
4. Establishing clear incident reporting protocols that don’t shame employees
5. Deploying multi-layered security strategies that don’t rely solely on passwords or OTPs

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

As security expert Paul Walsh noted in his analysis of the Hunt incident, “If Troy Hunt can fall for phishing, anyone can.” This underscores the need for technical solutions that don’t rely solely on human vigilance.

By partnering with CinchOps, you can implement modern security practices that address the vulnerabilities exposed by even the most sophisticated phishing attacks.

FREE CYBERSECURITY ASSESSMENT