Have I Been Pwned owner, pwned.

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨Tea@programming.dev⁩ to ⁨technology@lemmy.world⁩

https://htxt.co.za/2025/03/have-i-been-pwned-owner-pwned/

A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.

Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.

Hunt has detailed the attack and warned his subscribers in a timely fashion.

source

Comments

Sort:hotnew top

Der_Fossyler@feddit.org ⁨3⁩ ⁨weeks⁩ ago
TIL: Nobody is perfect

source
- cdf12345@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
  glares in the general direction of the White House
  
  source
  - otp@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
    …did you think there were perfect people in the White House before this? Or at any point in your life? Haha
    
    (Maybe as a child would that make sense…)
    
    source
- IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
  Pobody’s Nerfect
  
  source
  - bss03@infosec.pub ⁨3⁩ ⁨weeks⁩ ago
    You might like (or have already seen): www.youtube.com/watch?v=tPp-U4QonnM
    
    source
- gofsckyourself@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  You’re either perfect, or you’re not me.
  
  source
- otp@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
  Only just today?
  
  source
  - TeamAssimilation@infosec.pub ⁨3⁩ ⁨weeks⁩ ago
    Don’t blame him, they had that bias because we’re friends, and I would be perfect if not for my excessive modesty.
    
    source
- Linnce@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  You live and you learn it
  
  source
heavy@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
Solving the “being human” part of security will probably never happen, which is why you’re encouraged to do stuff like use 2FA, different passwords, service isolation and stuff like that.

Anyone and everyone can be fooled at some point, best to try and limit the damage.

source
- Auli@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
  I just never click links in email.
  
  source
  - Jessica@discuss.tchncs.de ⁨3⁩ ⁨weeks⁩ ago
    If you use a password manager it won’t fill credentials because it will be the wrong domain
    
    source
    -> View More Comments
  - Nalivai@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    I clicked one once by accident when trying to select it. You can be as diligent as you want you still will slip up from time to time
    
    source
    -> View More Comments
- sugar_in_your_tea@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
  Exactly. Put as many obstacles as possible into the path of scammers, and give yourself as many chances as possible to stop said scammers, and all without making services too annoying to use.
  
  MFA + password manager seems to work well.
  
  source
- Cornelius_Wangenheim@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  FIDO2 and security keys are the closest things we have to a solution. Unfortunately far too few companies support them. It would have saved him here because each credential only works on the proper URL for it.
  
  source
LiamMayfair@lemmy.sdf.org ⁨3⁩ ⁨weeks⁩ ago
Happens to the best.

source
- chatokun@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
  I work for a managed service provider, and security for our clients is one of our most important goals.
  
  Our CEO accidentally got phished then sent out emails to all our clients. We rolled with it by explaining kinda what you just said.
  
  source
dubyakay@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
I’ve clicked an obvious phishing link once in an isolated environment with a hardened browser on purpose. It had a tracking link and all and the URL was just ever so slightly off. Nothing happened on the target page though. No attempted script execution, no iframes, no cross site shenanigans, no weird popups or a fake login UI urging me to enter my credentials asap.

Someone from my company’s security department called me shortly, telling me how I’ve failed the obvious phishing exercise and I had to undergo a half hour long mandatory awareness training. Wasn’t getting out of that one.

source
- Jolteon@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  If you look at the headers, you can tell which ones are fake phishing and real phishing.
  
  source
  - cryptix@discuss.tchncs.de ⁨3⁩ ⁨weeks⁩ ago
    Please explain
    
    source
    -> View More Comments
- xigoi@lemmy.sdf.org ⁨3⁩ ⁨weeks⁩ ago
  Is there anything bad that can happen if you just click a link without logging in or anything? How is it different from opening up a random search result?
  
  source
  - _synack@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
    Not all phishing links are related to credential theft or trying to get you to download something malicious. Zero-day vulnerabilities in web browsers are revealed constantly. A malicious website (or malicious content embedded into an otherwise benign website) can leverage these or other unpatched vulnerabilities when visited.
    
    You should never follow a known or suspected phishing link unless it’s your job and you are using the appropriate tools and techniques. Just report it to the security department or delete it and move on with your day.
    
    source
    -> View More Comments
  - zerofk@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
    I’m no expert, but as I understand it, there are several things that can go wrong just by clicking. This depends somewhat on your browser settings and how you use it.
    
    Visiting a compromised site may allow the attacker to access data from other tabs and windows in the same browser session. Some sites warn you to close the whole browser when logging out because of this.
    
    Sometimes bugs in a browser can allow a site to run arbitrary code on your machine. These hopefully get patched quickly.
    
    source
    -> View More Comments
skozzii@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
He must have been really tired, he even stated all the warning signs he ignored.

source
linuxguy@lemmy.gregw.us ⁨3⁩ ⁨weeks⁩ ago
The original article: troyhunt.com/a-sneaky-phish-just-grabbed-my-mailc…

source
danc4498@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
I’m not just the owner, I’m also a member!

source
otp@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
Why is there a comma in the, title?

source
freeman@feddit.org ⁨3⁩ ⁨weeks⁩ ago
Thats why we have RSS feeds. Thats how I follow Troy

source