- A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
- Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
- Hunt has detailed the attack and warned his subscribers in a timely fashion.
You must log in or # to comment.
He must have been really tired, he even stated all the warning signs he ignored.
If anything it should just be a warning that literally anyone can make a mistake due to stress/fatigue/whatever
Solving the “being human” part of security will probably never happen, which is why you’re encouraged to do stuff like use 2FA, different passwords, service isolation and stuff like that.
Anyone and everyone can be fooled at some point, best to try and limit the damage.
I just never click links in email.
I clicked one once by accident when trying to select it. You can be as diligent as you want you still will slip up from time to time
Exactly. Put as many obstacles as possible into the path of scammers, and give yourself as many chances as possible to stop said scammers, and all without making services too annoying to use.
MFA + password manager seems to work well.
FIDO2 and security keys are the closest things we have to a solution. Unfortunately far too few companies support them. It would have saved him here because each credential only works with the proper URL for it.
I’ve clicked an obvious phishing link once in an isolated environment with a hardened browser on purpose. It had a tracking link and all and the URL was just ever so slightly off. Nothing happened on the target page though. No attempted script execution, no iframes, no cross site shenanigans, no weird popups or a fake login UI urging me to enter my credentials asap.
Someone from my company’s security department called me shortly, telling me how I’ve failed the obvious phishing exercise and I had to undergo a half hour long mandatory awareness training. Wasn’t getting out of that one.
If you look at the headers, you can tell which ones are fake phishing and real phishing.
I’m not just the owner, I’m also a member!
Don’t password managers verify the domain name before offering credentials?
Does that mean he doesn’t use a password manager?
Edit: RIP, now that’s a proper phishing. I understand where he’s coming from
This was mentioned in the write-up, the password manager didn’t autofill, but he was too out of it to notice at first
Depends… if you use an offline password manager ( like keepass), you can ask it to autotype your credentials into anything… if that’s what you ask it to do (ie it’s not a fault)
Main point though: don’t reuse the same credentials across different sites.
They’ll get 1 site, but not all the rest of them…
Not everyone uses a browser extension for their password manager.
Why is there a comma in the, title?
It indicates a pause, and a separation of the two objects in the sentence. It is a subtly different sentence than “Have I been Pwned owner Pwned”, and is clearer with greater emphasis on what happened.
wouldn’t it be clearer with
-
“Have I Been Pwned” owner pwned.
-
Owner of “Have I Been Pwned” pwned.
?
I’d argue that the original is clearer and more fun than these, but style is subjective.
-
It feels awkward to me. I don’t think it’s grammatically correct. To me, it doesn’t add any clarity, especially when the comma could’ve been the word “got” or something, lol
Headlines are generally pretty flexible with grammar, because a good headline is supposed to be terse.
I think it’s fine.
I think a professional headline would usually just lack the comma there. Headlines typically have weird phrasing (due to their terseness), but they’re generally still grammatically sound.
I think “HackerNews owner hacked” would be a headline, rather than “HackerNews owner, hacked”.
“Have I Been Pwned owner pwned” seems to be on par with “Headline English” to me
