The Register reports that data breach notification service Have I Been Pwned had nearly 16,000 records belonging to current and former Mailchimp mailing list subscribers stolen following a successful phishing attack against HIBP Administrator Troy Hunt.
Hunt said that attackers leveraged a highly convincing malicious email warning of a spam complaint that could lead to account deactivation until a proper login is recorded that included a link redirecting to the mailchimp-sso[.]com phishing site that sought his credentials and one-time passcode.
In a blog post, Hunt said inputting the information resulted in successful mailing list exportation in under two minutes, indicating an automated intrusion, noted Hunt, who admitted to being jetlagged during the incident.
While Mailchimp has yet to respond to Hunt's queries about its retention of data from unsubscribed users, Cloudflare has already dismantled the phishing site.
"By no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it's entered," Hunt added.
You can skip this ad in 5 seconds