Adapted by:
Javier Pastor
Senior WriterComputer scientist turned tech journalist. I've written about almost everything related to technology, but I specialize in hardware, operating systems and cryptocurrencies. I like writing about tech so much that I do it both for Xataka and Incognitosis, my personal blog.
Karen Alfaro
WriterCommunications professional with a decade of experience as a copywriter, proofreader, and editor. As a travel and science journalist, I've collaborated with several print and digital outlets around the world. I'm passionate about culture, music, food, history, and innovative technologies.
Software developer Troy Hunt has warned users for years about the dangers of password theft. It happened so often that he turned his warnings into a benchmark project: Have I Been Pwned? Despite his expertise, he just fell for credential theft using the most common method of all: a phishing email.
It can happen to anyone. In his blog, Hunt recounts how he fell for a well-crafted trap—a phishing email posing as Mailchimp, the platform he uses to distribute his newsletter. The message claimed he had received a spam complaint and that his sending privileges were being restricted. To resolve the issue, he needed to click a button with a link.
Why did this phishing work? Hunt explained that while he’s received many similar messages that he quickly identified as scams, one key factor worked against him this time—his timing. He was jet-lagged and exhausted when he read the message and didn’t immediately recognize it as suspicious.
Hard-to-spot clues. After clicking the link, Hunt noticed that his password manager didn’t auto-fill his login credentials. That should have been a red flag, since password managers typically detect known domains. However, many platforms register users on one domain and authenticate them on another, making it harder to recognize phishing attempts.
Subscriber data stolen. The attack resulted in hackers stealing 16,000 records of people who had subscribed to Hunt’s newsletter but later unsubscribed. Mailchimp retains these records, which include email addresses, IP addresses, and latitude and longitude data, though they don’t reveal exact locations.
Even he’s been pwned. Hunt added the stolen data to the Have I Been Pwned database, as he knew he should. Not doing so “would have been hypocritical,” he wrote on his blog. He also immediately reported the incident.
Be wary of urgent messages. Phishing attacks often create a false sense of urgency, pressuring victims to act immediately. Hunt’s experience reinforces the importance of staying calm, thinking critically, and not acting instinctively when faced with alarming emails.
Passkeys can help. Traditional passwords remain a prime target for phishing, but passkeys using secure biometrics offer a more secure alternative. Adoption is still fragmented, but passkeys from providers like Google and Apple add an extra layer of protection, much like two-factor authentication has done.
Image | GuerrillaBuzz (Unsplash)
Log in to leave a comment