However, the hacker behind the phishing attack appears to have only stolen the email addresses of those who subscribed to Troy Hunt's blog, rather than Haveibeenpwned.com.
  • LadEnglish
    3923 days ago

    At least he admitted it. That’s worthy of respect I think. Just proves that nobody is invulnerable.

    • @[email protected]English
      823 days ago

      That’s really how we should think about a lot of things. People don’t fall for stuff because they’re dumb. They fall for stuff because they’re vulnerable.

  • LiveLMEnglish
    2823 days ago

    The biggest takeaway for me is this:

    but we all have moments of weakness and if the phish times just perfectly with that, well, here we are.

    We can never assume we’re above it, all it takes is one not-so-good day to cause you to slip

    • OgmiosEnglish
      1523 days ago

      It’s a pretty great example to highlight just how insecure the digital environment is. Only takes one tiny mistake to open yourself up to significant harm.

  • @[email protected]English
    1223 days ago

    Phishing emails are getting pretty good these days, and fairly well targeted too. I get some at work that are fairly convincing, emulating emails from services we actually use.

    However…

    “Hunt clicked on the phishing email, which led him to enter his credentials and one-time passcode into a hacker-controlled login page.”

    Using a password manager should have prevented this, or at least make it a lot more likely you would realize something is wrong, because it will only enter your credentials on the correct domain name.

    I also do the whole “don’t click links in emails, go to my bookmark for that service instead” thing as much as I can too. Especially for banking, I never click any link on those messages.

    • GeekManEnglish
      222 days ago

      Heh yeah they’re getting better.

      One day working in I.T. at a bank, I received an email that was formatted and written really convincingly that someone has referred me for a bigger role with a salary bump, with light/abstract details that could ‘be inferred as’ relevant to my country, sector & role. It just asked to click-through to see the opportunity-

      -which popped-up a warning from the company’s I.T. security that this was a phishing testing/training email, and I’d failed.

      I usually evade a phish, but this slightly-targeted one got me good.

      After that I had to ritualistically double-check potentially legitimate emails from external domains, for sketchy domains/short URLs/links/tracking cookies etc, because they included vendors & 3rd party consultants or contractors we were working with.

      At least (the) God(s) know scammers are bad people.

      Heh.