Troy Hunt (creator of ‘Have I Been Pwned’) has confirmed his blog’s mailing list was compromised after he fell for a phishing attack mimicking Mailchimp.

Hunt says that while he was jet-lagged in London, he received a convincing phishing email prompting him to log into a fake Mailchimp site, mailchimp-sso.com. Hunt says he entered his login details and a one-time password, only realising the mistake moments later. Despite resetting his password swiftly, the attacker had already exported his mailing list from a New York IP address.

Around 16,000 email addresses were exposed, including over 7,500 belonging to users who had unsubscribed, a detail Hunt criticised, questioning why Mailchimp retains unsubscribed data. The stolen data also included IP addresses and rough location metadata.

Hunt admitted the phishing email was well-crafted, creating just enough urgency without sounding alarmist. “We all have moments of weakness and if the phish times just perfectly with that, well, here we are,” he wrote. Ironically, the incident happened the day after he’d been discussing passkey adoption with the UK’s National Cyber Security Centre.

He has since notified affected users and loaded the breach into Have I Been Pwned, reinforcing his long-held message about transparency and rapid disclosure in data breaches.

For businesses, this incident is a reminder that even experts are vulnerable. Clear phishing awareness training, secure password management, and adoption of phishing-resistant technologies like passkeys are now essential steps in protecting sensitive data.