The Register reports that data breach notification service Have I Been Pwned had nearly 16,000 records belonging to current and former Mailchimp mailing list subscribers stolen following a successful phishing attack against HIBP Administrator Troy Hunt.
Hunt said that attackers leveraged a highly convincing malicious email warning of a spam complaint that could lead to account deactivation until a proper login is recorded that included a link redirecting to the mailchimp-sso[.]com phishing site that sought his credentials and one-time passcode. Inputting such information has resulted in successful mailing list exporting in under two minutes, indicating an automated intrusion, noted Hunt, who admitted to being jetlagged during the incident, in a blog post. While Mailchimp has yet to respond to Hunt's queries about its retention of data from unsubscribed users, Cloudflare has already dismantled the phishing site. "By no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it's entered," Hunt added.
Coverage from Tech Radar indicates that a sophisticated phishing-as-a-service platform, known as Kali365, Octopi365, and Freedom365, is actively targeting Microsoft accounts.
Check Point Research reported that in May 2026, the hospitality, travel, and recreation sector faced an average of 2,291 weekly cyberattacks per organization, a 24% increase from the previous month and more than double the volume seen in May 2023.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
