This PC security guru fell for a scam. Here are 3 lessons from his mistakes

Humans aren’t infallible, as much as we’d like to be. That includes security experts, as Troy Hunt revealed yesterday. Turns out, the legend behind HaveIBeenPwned (a site that lets you see which data breaches you’ve been in) got phished when trying to log into Mailchimp.

In a post titled “A Sneaky Phish Just Grabbed my Mailchimp Mailing List,” Hunt runs down the situation, starting with how it began (jet lag and fatigue while traveling) and how it ended (the phisher capturing his credentials, logging in, and then exporting all 16,000 email addresses associated with his newsletter). If you’ve been affected, Hunt has already loaded those email addresses into the HaveIBeenPwned database. The list includes people who already unsubscribed from the newsletter—Mailchimp does not delete these email addresses from its databases.

You can read the full details of what happened in the post, but I was most struck by the lessons to take away from Hunt’s clear account of the incident. Not just the things to watch out for, but how to set up your digital life so you’re still safe if you slip up. Let’s dig in:

Don’t rely on warning signs

Walking through Hunt’s tale, you can see that scams do signal what they are. In Hunt’s case, multiple small warning signs existed:

1. False urgency in the email
2. Sender of the email was fake
3. Autofill from 1Password didn’t trigger on the illegitimate site

A security expert of Hunt’s level normally would be sensitive to these details. But he was tired while traveling—a situation any of us could find ourselves in.

Troy Hunt / HaveIBeenPwned

The lesson here: If you receive an urgent email or message, skip the link provided—instead, log into your accounts directly. (Similarly, return phone calls using official phone numbers from a bank statement or the back of your bank card—or at the very least, Google the provided number to verify its authenticity.) This strategy gives some cushion against having to be 100 percent sharp about spotting scams, 24/7.

Passkeys are also the better method for logging in, as they’re phishing resistant. So are stronger methods of 2FA, like hardware keys (e.g., Yubikeys or a Google Titan Security Key).

Leaving a service won’t protect you from data breaches

As Hunt discovered while parsing his lost data, not all companies delete your data if you leave them. In fact, in the case of Mailchimp, they appear to purposely retain email addresses of unsubscribers so that they can’t be readded to a list.

Most services have a way to delete you from their databases. (Various state and national governments have laws requiring an easy way to be deleted—also known as the right to be forgotten.) Unless you make that request, though, you could be part of any number massive troves of data, ripe for stealing by bad actors. 

And the more data that hackers have about you (what your interests are, where you shop, etc), the easier it is for them to target you.

Michael Ansaldo/Foundry

The lesson here: To truly sever a relationship with a website, you have to request the deletion of your data. Such a step can be worthwhile for extremely sensitive data, like genetics testing. For everything else, consider using email masks instead. You’ll have a unique email alias for each service, so if anyone of them is breached, the data can’t be easily used to build a profile of you.

It can happen to anyone

Hunt’s experience is a reminder that scams can prey on just about anyone—and that if you do, it’s not because you’re stupid. Sometimes you’re just busy, stressed, or otherwise too preoccupied to realize what’s in front of you.

But you shouldn’t stop being vigilant. A security guru falling for a phishing scam doesn’t mean we’re all doomed. On the contrary, you have just as much chance of successfully evading schemes as everyone else. When I write about security, it’s not from a place of authoritative expertise. I know I’m just as susceptible as everyone else—and so I share whatever useful info I have, so that we can all watch our tails.