Security Expert Troy Hunt Lured in by Mailchimp Phish

https://www.darkreading.com/cyberattacks-data-breaches/security-expert-troy-hunt-lured-mailchimp-phish

Security Week 2514: утечка данных у Троя Ханта

25 марта в сервис Have I Been Pwned, собирающий сведения об утечках персональных данных, была добавлена информация о краже базы электронных адресов у основателя этого сервиса Троя Ханта. Данные были украдены из учетной записи на сервисе Mailchimp, которую Трой использовал для рассылки писем на персональном веб-сайте. Хант подробно рассказал о том, как он стал жертвой фишинга, и это очень интересный кейс. На уловки мошенников попался человек с огромным опытом именно в сфере защиты персональных данных. Главной причиной успеха фишинговой атаки Трой Хант посчитал усталость. Он получил письмо сразу после длительного авиаперелета из Австралии в Великобританию. В сообщении говорилось о том, что на учетную запись в сервисе почтовых рассылок Mailchimp наложены ограничения якобы из-за подозрения в рассылке спама. Кликнув на ссылку в письме, Трой ввел свой логин и пароль, а затем и код двухфакторной аутентификации. Свою ошибку исследователь обнаружил сразу же, сменил пароль доступа, но база из 16 тысяч адресов электронной почты уже была похищена.

https://habr.com/ru/companies/kaspersky/articles/896028/

#Unplugtrump bye #airbnb und #mailchimp hello #omnisend as alternative to mailchimp. Already left #meta #twitter and #amazon for ages working on #dropbox #stripe and #paypal step after step #pulltheplug

Unsere neue Newsletter jetzt verwaltet mit #omnisend #unplugtrump statt #mailchimp
https://lqs.soundestlink.com/view/67e94cfa57b273fbbeb9570c/0 #littleshopofmusic #musik #Vinyl #lpcafewien #recordstore

(zucht)
#Thunderbird #Mailchimp

Thema #Mailchimp: Nachdem gestern rausgekommen ist, dass Mailchimp auch abgemeldete Emailadressen weiter speichert*, habe ich deren Formular für die Datenauskunft (https://mailchimp.com/de/about/privacy-rights/) mit ein paar verschiedenen Emailadressen, die für Newsletter angemeldet waren, gefüttert. Bis jetzt habe ich von Mailchimp noch nichts gehört...

* siehe https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

@thunderbird Regarding the #mailchimp incident that led to my email information for your newsletter being stolen, your notification in your email notification is lacking important information.

How did hackers gain the access?

If you think you’re immune to phishing attempts, you’re wrong! https://www.helpnetsecurity.com/2025/03/26/troy-hunt-mailchimp-phishing-email/ #accountprotection #socialengineering #accounthijacking #databreach #Don'tmiss #Mailchimp #Hotstuff #phishing #News #HIBP #2FA

“Infosec veteran Troy Hunt of #HaveIBeenPwned fame is notifying thousands of people after phishers scooped up his #Mailchimp mailing list.

He said the list comprises around 16,000 records and every active #subscriber will be receiving a notification and apology #email soon. …

Around half of these records (7,535), however, pertain to individuals who had #unsubscribed from the list”

#InfoSec / <https://theregister.com/2025/03/25/troy_hunt_mailchimp_phish/>

#Mailchimp could be safer.
Why mailchimp users need access to the subscriber email list? The user isn't sending emails by itself, its using the service provider to do it for him. And the mailing list subscribers already manage their subscription on their own. This could easily be safer by preventing the mailchimp user from having access to the subscribers and unsubscribers data. Its already bad enough that the service provider has access to everything.

I know a lot of authors have newsletters. Some of you probably use Mailchimp for the purpose.

Be aware that Mailchimp apparently does not respect peoples' decision to unsubscribe by deleting their PII; but rather holds on to it. (As a recipient, this is *not* what I expect.)

I would not be at all surprised if other providers also do this; but in this case, it was Mailchimp being caught holding the smoking gun.

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

Interesting.

Aside from the successful phish, it appears that **Mailchimp keeps a record of unsubscribed email addresses** and those are included in subscriber list exports.

So: if you have signed up for a mailing list run by Mailchimp, and you unsubscribe, the email address you signed up with (in other words, PII you would expect deleted) remains stored with Mailchimp *and* is accessible to the list owner (or anyone with access to the account).

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

Troy Hunt – A Sneaky Phish Just Grabbed My Mailchimp Mailing List

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

Any newsletter service hosted in Canada? Alternative to #Klaviyo #Mailchimp

Hey, folks! I’m looking for a Staff Software Engineer to join my team (API Core) at #Mailchimp.

Some of the things we work on: #PHP, #REST, #OpenAPI, #OAuth2, #APIGovernance, and more.

We are stewards of our public #APIs, and we collaborate with other capabilities teams to ensure APIs are developed according to our standards and processes. You would work directly with me on a daily basis.

This position is in Atlanta or New York.

https://jobs.intuit.com/job/atlanta/staff-software-engineer-api-core-team/27595/76329932512