Hunt quickly went public on the attack, which did not impact the Have I Been Pwned? Service, which remains secure.
The phish allowed a ‘highly automated’ attack
In a blog post, Hunt explained how the well-crafted email had tricked him into acting on its contents. Hunt was, by his own account, travelling and somewhat jet-lagged, factors that meant he missed warning signs such as his password manager not filling in the login details, the domain or the unrelated source email that posed as “Mailchimp Account Services”.
“It socially engineered me into believing I wouldn’t be able to send out my newsletter so it triggered ‘fear’, but it wasn’t all bells and whistles about something terrible happening if I didn’t take immediate action,” according to Hunt.
