Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish
- Reference: 1742905688
- News link: https://www.theregister.co.uk/2025/03/25/troy_hunt_mailchimp_phish/
- Source link:
He said the list comprises around 16,000 records and every active subscriber will be receiving a notification and apology email soon. Around half of these records (7,535), however, pertain to individuals who had unsubscribed from the list.
Hunt questioned why Mailchimp retained data on unsubscribed users and said he would investigate whether it was a configuration issue on his end. The Register has asked Mailchimp for comment.
[1]
A jet-lagged Hunt offered his apologies to those affected, saying he's "enormously frustrated with myself for having fallen for this."
[2]
[3]
The phish itself, he said, was "very well crafted," although he admitted his tiredness played a huge role in its success.
Hunt [4]blogged about the incident immediately, providing screenshots of the phishing email he received, which does have a more authentic look about it than many others flying around these days.
[5]
The email employed the classic time pressure to urge would-be victims to act fast. In this case, the email told Hunt he would be unable to blast his subscribers with updates until he logged into his account and reviewed his campaigns following a spam complaint.
This created "just the right amount of urgency," Hunt said. Not too much so that it seemed overtly suspicious, but enough to demand a fast response.
He followed the link, entered his credentials and one-time passcode (OTP), watching as the page "hung" – or became unresponsive. Moments later he realized what happened and went to change his password in his account, but received an email from Mailchimp notifying him that the mailing list had successfully been exported.
[6]
The time between handing over his credentials and the list being exported was less than two minutes, suggesting the attack was automated rather than specifically targeted at him.
"Ironically, I'm in London visiting government partners, and I spent a couple of hours with the [7]National Cyber Security Centre yesterday talking about how we can better promote [8]passkeys , in part due to their phishing-resistant nature," he blogged on Tuesday morning.
Mailchimp doesn't offer phishing-resistant [9]two-factor authentication (2FA) methods such as hardware security keys or passkeys, opting either for OTPs delivered through an authenticator app or by [10]SMS .
"By no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it's entered," said Hunt.
[11]If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish
[12]Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish
[13]OpenAI says Chinese gang tried to phish its staff
[14]This uni thought it would be a good idea to do a phishing test with a fake Ebola scare
He added that the API key created as part of the fraudulent login was deleted, eliminating any persistent access to his account.
Hunt also said that users of password managers should keep an eye out for whether credentials auto-fill on websites, since not doing so could be an indicator of a phishing site.
However, this isn't a catch-all protection because there are various websites that use different domains for authentication. Hunt pointed to his Qantas account as one example where the qantas.com.au website authenticates from accounts.qantas.com.
He also alluded to the idea that some blame should also fall on [15]Outlook's iOS app, which rendered the phishing email's fraudulent sender name as 'MailChimp Account Services.' Aside from the erroneous styling of the Mailchimp brand, it crucially didn't reveal the domain behind it (hr@group-f.be) – the more obvious indicator of fraudulence as it has no ties to Mailchimp's infrastructure.
The domain used to host the credential-nabbing page (mailchimp-sso.com) has since been taken down by Cloudflare, just over two hours after Hunt's credentials were stolen. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z-LhLkJ5ZU5Lj5W_81RTWgAAANY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-LhLkJ5ZU5Lj5W_81RTWgAAANY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-LhLkJ5ZU5Lj5W_81RTWgAAANY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-LhLkJ5ZU5Lj5W_81RTWgAAANY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-LhLkJ5ZU5Lj5W_81RTWgAAANY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/03/20/ncsc_post_quantum_cryptogrpahy/
[8] https://www.theregister.com/2024/11/17/passkeys_passwords/
[9] https://www.theregister.com/2024/01/15/critical_gitlab_vulnerability/
[10] https://www.theregister.com/2025/02/25/google_sms_qr/
[11] https://www.theregister.com/2025/02/15/russia_spies_spoofing_teams/
[12] https://www.theregister.com/2024/12/19/docusign_lure_azure_account_takeover/
[13] https://www.theregister.com/2024/10/10/china_phish_openai/
[14] https://www.theregister.com/2024/08/22/ucsc_phishing_test_ebola/
[15] https://www.theregister.com/2025/03/20/outlook_outage_again/
[16] https://whitepapers.theregister.com/
Well, yes and no. Rule No.1 Never click a link in an email asking you to log in to your account. Use your browser bookmark.
Exactly. Also I just looked at his blog and the first thing I noticed in the phish was "Hello, ". This is the first give away right there. Phishers almost never address you by name (because they don't know your name, unless targeting someone specifically, i.e. public figures). I get it he was tired and all but this is a very rookie mistake. But kudos for him blogging about it and sharing the details.
Mailchimp holds a list of unsubscribed email addresses for each account. This is not visible to the account holder, but is used to prevent the account holder re-adding someone to an audience. It's presumably because Mailchimp doesn't trust it's users, based on it positioning itself as a service for the technically challenged. If that unsubscribed list has been exfiltrated, then it suggests the hackers know a workaround to access it.
Whether this invisible list is in line with GDPR I don't know, but I wouldn't trust Mailchimp to organise a piss up in a brewery without fucking it up. Their API is a Byzantine mess, with hard coded limits that are not documented and many other quirks. They're also expensive compared to more competent alternatives, but have good marketing.
GDPR explicitly lets you store a list of people that don't want to be contacted, for the obvious reason that if you don't have this list, you might contact them.
Mailchimp holds a list of unsubscribed email addresses for each account. This is not visible to the account holder, but is used to prevent the account holder re-adding someone to an audience.
An interesting point, and obvious once you mention it.
Hmmm.... off the top of my head : maybe store a list of salted hashes of unsubscribed addresses? If that list is extracted, it's a heck of a lot less useful than the plain-text addresses. Though somebody else who has given it >15 seconds of thought has probably come up with a better solution.
Yuck, why use anything Outlook, outside of a corporate environment where you have no choice.
Because he works at Microsoft and all his regular contacts likely also use Outlook?
I saw that. But why is he using his corporate Microsoft account for this? Is HaveIBeenPwned a Microsoft sponsored or his own pet project (I believe it is the latter)? There is a corporate persona and there is a individual persona and never shall the 2 meet.
He does NOT work at Microsoft
"Because he works at Microsoft..."
He does NOT work at Microsoft, per https://www.troyhunt.com/about/: "I don't work for Microsoft".
More than somewhat confusingly, Microsoft reward community leaders (the old term for "influencer", I guess) with titles that *sound* like they work for Microsoft. For example, the title "Microsoft Regional Director" sounds like you work at Microsoft, but it doesn't actually mean that. According to https://mvp.microsoft.com/en-us/RD, "The Microsoft Regional Directors program recognizes industry professionals..."
Yeah, it's stupid and confusing.
Re: He does NOT work at Microsoft
The MVP should have been another give away for me. Although Microsoft employs 'MVP's, most of them are just as you said, 'influencers' that are not on MS payroll.
MailChimp
The following shit-show was a number of years ago now but for the avoidance of doubt, bulkmailprovider was Mailchimp
So, the back story here is that a member of staff where I work could not subscribe to a particular mailing list for an organisation whose activities were very relevant to her job.
The organisation uses a bulk email service for distribution of said emails. I couldn't subscribe either, in fact no one could and another staff member was now no longer in receipt of a regular e-bulletin which was also distributed by this bulk mail service. Confused, I got in touch with them and the correspondence is below. I have changed names to protect the innocent and the ridiculous alike because you couldn't make this up.
RWG said: (Via their web page)
Hi.
I'm at a bit of a loss to explain this error message (That e-mail address has been banned) when some of our people attempt to subscribe to a mailing list you operate on behalf of the 'Important Public Organisation'.
I've made sure that 'BulkMailProviders' server addresses have been added to our mail filter white list but our users can still not successfully subscribe and another, who was previously receiving an E-bulletin, also delivered by yourselves on behalf of 'Another Important Organisation', is now no longer receiving that.
We use a 'ReputableMake' firewall with built in mail filtering.
oooOOOooo
'BulkMailProvider' replied:
Hey RWG,
Thanks for getting in touch with us about this! I can definitely understand your concern here, and I'd be more than happy to help you get started in the right direction.
When an email address returns the banned error message, it is because somebody at that domain has requested to no longer receive emails from 'BulkMailProvider'.
We would recommend reaching out to our Compliance team for further information. They can be reached at compliance@bulkmailprovider.com
If there's anything else we can help you with, don't hesitate to get back in touch with us and we'll be happy to assist you.
Have a good one!
Thank you,
Igor
oooOOOooo
RWG responded:
Hello
I was given your mail address by Igor. I understand from him, that the reason some of our users are unable to subscribe to e-bulletins and newsletters, from organisations that use your service for delivery, is because someone at our mail domain has requested not to receive any further communications from an organisation that uses your service. Can you advise how we might resolve this?
Regards
RWG
oooOOOooo
'BulkMailProvider' replied:
Hi RWG and thank you for reaching out to us. In order to resubscribe the 'wherethisishappening' domain we just need the original person who requested to block to reach out to us. They can send an email to compliance@bulkmailprovider.com requesting the domain be resubscribed. While we are unable to provide the details of the individual who requested the block we can say it was submitted to us on November 19, 2013. Hopefully this will get you going in the right direction.
Feel free to contact us if you have any other specific questions or comments that we can assist you with.
Thank you,
Mel
oooOOOooo
RWG asked:
Hi Mel
Thanks for getting back to me. I'm afraid your explanation, while understandable, is less helpful than I had hoped for. Unfortunately, it is not practical to interrogate the mail system, or our employees in order to determine who may have selected to unsubscribe.
Even if it were possible discover whom it may have been, it could be of little use, as if any one individual wishes to opt out of communications for which 'BulkMailProvider' is the service provider, then the entire mail domain is subsequently excluded. That strikes me to be a strange policy although no doubt the reasoning is sound. Could you offer some explanation on that? I'm sure our users here would be most interested, as would I.
Regards
RWG
oooOOOooo
'BulkMailProvider' replied:
Hello RWG,
Thank you for writing back in. The domain @wherethisishappening has been removed from the blacklist. It will now be possible to add subscribers from this domain. Please note that it may take 24-48 hours for this to take effect.
If you have any additional questions, please let us know.
Thank you,
Tony
Outlook, or at least the newer version/editions that come with M365, appear to make it actively difficult to find and assess the mail headers for a specific mail, somehting that consistently frustrates me in my day to day life.
That's on a managed Windows 11 client (rather than the Mac client I had before) and has very nearly got me angry/frustrated enough to try a Geoff Capes style shot-put of my laptop through a window. It's like they _want_ you to rely on Defender for Endpoint/Cloud/Whatever...
All you can say, is that it happens to the best of us as well. The right combination of time pressures, tiredness, and stress and anyone can fall victim to a well crafted phish.
Props to Troy for being upfront and honest about it, and giving all the details out, so that other people can learn from the mistakes made...