Have I Been Pwned owner, pwned - Hypertext
htxt.co.za
A phishing attack managed to fool Troy Hunt into handing over MailChimp credentials.
  • A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
  • Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
  • Hunt has detailed the attack and warned his subscribers in a timely fashion.
  • sugar_in_your_tea@sh.itjust.worksEnglish
    1·
    12 days ago

    I almost fell for a bank scam a couple years back. Basically, I had just gotten a new phone w/ GrapheneOS, which doesn’t have Google’s scam number protection (I was well aware, that’s not the issue) and I hadn’t yet transferred my contacts, and I received a call about a fraud alert on a card. This has happened a few times, and usually it’s a pretty straightforward call where they verify my identity before asking me about certain transactions. As a bit of background, I was on vacation at the time and I got the call while waiting in the parking lot while my SO ordered something at a food truck.

    Anyway, the call progressed like this:

    1. Mentioned <card type>, which I have
    2. Asked to verify my identity with a code to my phone - standard
    3. Went over a couple suspicious transactions, which I confirmed wasn’t me
    4. Asked to verify my identity again, and that’s where I got suspicious, so I didn’t provide it

    I immediately called my bank and sorted things out, and we figured out nothing was stolen because I didn’t provide the second code (that was to link an external account to suck my money out). Because I was in an unfamiliar setting and honestly pretty tired (we drove all day the day before), I just skimmed the text in step 2 w/o reading that it was a user-initiated code (i.e. for a password reset) instead of a bank initiated code (i.e. verify identity).

    I consider myself a pretty security-conscious person. I use a password manager, MFA everywhere I can (preferring TOTP), I’m a lead backend SW engineer who has caught multiple security issues, etc. However, I fell for the scam and missed the safeguard that should have protected me. Fortunately it all worked out, but I did have to change all of my account numbers and login, which wasn’t particularly fun while on vacation. That bank is fortunately one of the few that supports TOTP in my country, though I had avoided setting it up because it required a special app (Symantec VIP) and calling in (no self-service). I now have it set up and feel much better about my account security.