FlagThis

Security expert Troy Hunt, the creator of the data breach notification site Have I Been Pwned, has fallen victim to a sophisticated phishing attack. The incident, which occurred on March 25, 2025, resulted in the compromise of his email subscriber list, affecting approximately 16,000 current and past subscribers to his personal blog. The attackers gained access to Hunt's Mailchimp account after he clicked on a malicious link in an email disguised as a legitimate notice from the email marketing provider.

Hunt immediately disclosed the breach, emphasizing the importance of transparency and acknowledging his frustration with falling for the scam. The phishing email exploited a sense of urgency by claiming a spam complaint had triggered a temporary suspension of his account, prompting him to enter his credentials and one-time passcode. While 2FA was enabled on his Mailchimp account, the phish still managed to get the one time passcode. Industry experts have said the incident underscores how even seasoned cybersecurity professionals can be vulnerable to social engineering tactics that prey on human weaknesses, such as tiredness and a sense of urgency.

ImgSrc: cdn.mos.cms.fut

References :

• bsky.app: Have I Been Pwned creator Troy Hunt says the data of over 16,000 newsletter subscribers has been stolen after he fell for a Mailchimp phishing attack
• cyberinsider.com: Details the phishing attack on Troy Hunt's Mailchimp account, exposing subscriber data.
• The Register - Security: Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish
• DataBreaches.Net: Troy Hunt, owner of HaveIBeenPwned.com, writes: You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the...
• PCMag UK security: Creator of HaveIBeenPwned Data Breach Site Falls for Phishing Email.
• Information Security Buzz: Security consultant and founder of the popular Troy Hunt, a security consultant who runs the popular data-breach search service Have I Been Pwned?, has disclosed that he has become a victim of a phishing attack that exposed the email addresses of 16,000 subscribers to his blog troyhunt.com.   “Every active subscriber on my list will shortly [...]
• www.itpro.com: Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
• www.csoonline.com: Even anti-scammers get scammed: security expert Troy Hunt pwned by phishing email
• www.techradar.com: HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
• haveibeenpwned.com: In March 2025, . The exported list contained 16k email addresses and other data automatically collected by Mailchimp including IP address and a derived latitude, longitude and time zone.
• Malwarebytes: Security expert Troy Hunt hit by phishing attack
• heise Security: Have I Been Pwned: Projektbetreiber Troy Hunt gepwned Der Betreiber von Have I Been Pwned wurde selbst Opfer eines Phishing-Angriffs. Die E-Mails der Newsletter-Mailingliste wurden gestohlen.
• bsky.app: Troy Hunt's mailing list got phished. Commiserations to him. If it can happen to Troy, it can probably happen to you.

Classification:

• HashTags: #Phishing #HIBP #SecurityBreach
• Company: Troy Hunt
• Target: Troy Hunt's Subscribers
• Product: Mailchimp
• Feature: phishing attack
• Malware: Mailchimp Phish
• Type: Hack
• Severity: Medium