Despite being one of the industry’s most recognized security experts, Troy Hunt—founder of Have I Been Pwned?—fell victim to a sophisticated phishing attack on March 25, 2025. The clever scam compromised approximately 16,000 email addresses from his blog subscriber list.
In a twist of cyber-irony, phishing scammers hooked the big fish himself—along with 16,000 innocent subscribers.
Talk about an awkward position for someone who literally built his career on data breaches.
The attack targeted Hunt’s Mailchimp account through a well-crafted email claiming his account’s sending privileges had been restricted. Jet-lagged and tired, Hunt missed the warning signs. The phishing email arrived at an address he only used for Mailchimp, creating an air of legitimacy.
Even more telling? His password manager didn’t auto-fill credentials on the fake site—a red flag Hunt overlooked in his fatigued state.
The attackers didn’t waste time. Using the domain “mailchimp-sso.com,” they collected Hunt’s login credentials and one-time passcode, creating an API key for persistent access. The automated attack exported his entire mailing list before he could blink.
The stolen data included email addresses, IP addresses, rough geolocation data, subscription status, and timestamps. Of the 16,000 records exfiltrated, approximately 7,500 belonged to unsubscribed users whose data was still retained by Mailchimp.
Hunt realized his mistake within minutes. He immediately logged into the legitimate Mailchimp site, changed his password, deleted the rogue API key, and notified subscribers via a blog post. This swift response demonstrates the importance of operational intelligence for understanding and countering attacker techniques in real-time. Quick response, but the damage was done.
Security experts weighed in on the incident. Aditi Gupta noted how attackers exploit fear and urgency, while Erich Kron emphasized that even professionals can fall victim to phishing scams. The attackers effectively exploited psychological manipulation by creating a sense of urgency without raising alarm bells.
No kidding.
The incident highlights serious limitations in current security measures. OTP-based two-factor authentication proved useless against this real-time attack. Hunt now advocates for phishing-resistant authentication methods like passkeys.
The silver lining? Hunt’s transparency. By publicly admitting his mistake, he turned an embarrassing situation into an educational opportunity.
Seems even cybersecurity gurus aren’t immune to clever social engineering. Password manager ignored? Check. Urgent email? Check. Human error? Double check.
