
Troy Hunt, the renowned cybersecurity blogger and creator of the popular service “Have I Been Pwned” (HIBP), has disclosed a data breach involving his subscriber list, resulting from a phishing attack that compromised his Mailchimp account. The incident occurred on the morning of March 25, while Hunt was in London. Weary from travel and jet lag, he inadvertently entered his login credentials and one-time passcode on a convincingly crafted phishing site that visually mirrored Mailchimp’s official interface.
The malicious site, hosted on the domain “mailchimp-sso[.]com,” was designed to evoke a sense of urgency without triggering alarm. As a result, the attackers gained access to his account and, within seconds, exported the entire mailing list. Mailchimp later confirmed the login originated in London, followed by activity from a New York-based IP address—where the data exfiltration occurred.
The exported dataset included approximately 16,000 entries, encompassing both current and unsubscribed users. Each record contained email addresses, mailing list preferences, subscription dates, IP addresses, approximate geolocation data, and additional metadata. Hunt expressed particular concern over Mailchimp’s default practice of retaining information for unsubscribed users—an issue he noted could be mitigated via account settings.
Hunt openly acknowledged his own lapse in judgment, attributing it to fatigue rather than inexperience, despite his extensive background in combatting phishing threats. He noted that the absence of password autofill via 1Password should have raised red flags but was overlooked. He described the phishing email as particularly insidious, not by inducing panic, but by applying just enough pressure to compel immediate action.
He further criticized Mailchimp’s lack of support for phishing-resistant authentication methods, such as passkeys or hardware security keys. Hunt intends to press Mailchimp with two key questions: whether they plan to adopt passkey support, and why they continue to store data from unsubscribed users. He also announced plans to champion stronger authentication practices through his initiative at “whynopasskeys[.]com.”
Following the incident, Hunt added the affected email addresses to the Have I Been Pwned database. Notifications were dispatched to over 6,600 individual subscribers and 2,400 domain administrators monitoring exposure to data breaches.
Subsequently, Mailchimp temporarily suspended Hunt’s account to prevent further unauthorized access, which explained subscription issues reported by new users. An official investigation is underway. In parallel, Hunt is probing how his data may have been compromised—pointing to a unique Mailinator address used exclusively with Mailchimp, which he suspects may have leaked from the platform itself.
In closing, Hunt urged companies to adopt full transparency in breach disclosures and to promptly alert affected users. He emphasized that even a breach involving “just” email addresses merits public reporting and archival in breach databases. He intends to use this event as a case study in upcoming presentations and training sessions, while continuing to advocate for safer online authentication practices.