No one is immune to mistakes, even the top security experts. Just ask Troy Hunt, the creator of HaveIBeenPwned, who recently got phished while trying to log into his Mailchimp account. Hunt’s story is a perfect example of how even those most aware of cybersecurity threats can fall victim—especially when tired and distracted.
The phishing attack started with an email that tried to make Hunt panic by creating a false sense of urgency. Although Hunt noticed red flags—the fake sender, the unusual tone, and the fact that his password manager didn’t auto-fill on the site—it wasn’t enough to stop the scam. Being jet-lagged and fatigued, he slipped up, and the attacker grabbed his Mailchimp credentials, exporting all 16,000 email addresses from his newsletter, including those who had unsubscribed.
What can we learn from this? First, phishing scams often come with warning signs, but these are easy to miss when we’re busy or tired. The safest move is never to click on links in urgent emails or texts. Instead, log in to your accounts directly from official websites or apps. The same goes for phone calls—always verify phone numbers through trusted sources before responding.
Hunt also points out the power of passkeys, which are designed to resist phishing, and the importance of robust two-factor authentication methods like hardware security keys (think Yubikey or Google Titan). These tools make it much harder for scammers to break into your accounts, even if they get hold of your password.
Another important takeaway is that leaving or unsubscribing from a service doesn’t necessarily erase your data. Mailchimp, for example, keeps unsubscribed emails in its database to prevent accidental resubscriptions. That means your information might still be at risk unless you specifically request deletion—something privacy laws in many places now require companies to honor if you ask.
For everyday users, Hunt recommends using email masking services. By assigning a unique email alias to each service, you can prevent a single data breach from exposing all your accounts, making it harder for hackers to build a profile on you.
At the end of the day, Hunt’s experience is a reminder that anyone can be fooled, and it’s not about blame. We all get tired, distracted, or stressed. The goal is to put safeguards in place that help protect you when you’re not at your sharpest. Sharing his story openly, Hunt provides invaluable lessons to help everyone stay safer online.