May 9, 2025 • 30 mins
Questions we answer in this episode
Who is Troy Hunt?
How did he get phished?
What are some lessons we can learn from his story?
Who will we be inviting as a guest to the podcast?
Episode summaryTroy Hunt, a security expert, got phished. He clicked a link in an email, and entered his password into a fake website.
The hackers logged into his Mailchimp account that he uses to send his email newsletter. They stole the email addresses of all his subscribers.
Troy was humble and brave enough to share his story with us so we can learn. Thank you, Troy!
Call to actionShare your story of being hacked, scammed or tricked online. Give someone the gift of learning from your experience.
LinksTroy Hunt, Security Expert, Gets Phished
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to Super Simple Security Principles. I'm Nick Jackson, and I wanna love computers.
(00:07):
They don't love me back. I'm learning how to stay safe online from my good buddy
and master guardian, Makani Mason. Woo! He wrote his first computer program at the age of six,
sealing his fate as a computer geek. That's it. He knows his stuff, folks. Now he spends his time
(00:34):
teaching people like me and you how to stay ahead of the digital threats we face and those bad guys.
He keeps it simple, and we love it. Learn along with me each week. I'll ask the questions
and make sure he keeps it super relevant and super simple for us. If I can do it, you can do it too.
(01:01):
This is episode 62, Even a Security Expert Can Get Phished. Let's go. Here are the questions
we'll be answering today's episode. Who is Troy Hunt? Spoiler, I think he's sub-tech guy.
Maybe not much of a spoiler. I might have left you with more questions. How did he get phished?
(01:25):
My guess is an expert got gamed at what he's preaching, so let's find out.
What are some lessons we can learn from his story?
My guess is we all have bad days, but that kind of scares me as security.
Who will we be inviting as a guest to the podcast? We're inviting a guest?
(01:50):
Let's go. This is a trick one, but you'll see. I think you'll like it.
Okay. All right. Well, where do we start, man? I'm kind of excited. Who is this Troy Hunt dude?
(02:10):
Yeah. We'll get into that. There's just a little bit of introduction I want to start with before,
but that's definitely on the list. We want to give you just a brief introduction to Troy Hunt.
Okay. Perfect. Let's hear it.
Absolutely. But the first thing I want to just say about him is, obviously, he's a security
expert, right? He does. He teaches online security. He goes around and gives talks.
(02:31):
He publishes things. He has some tools online. He deals with us all the time.
But the thing I really like about him in this was he was humble enough and gracious enough
to share all the little details with us. Okay. Okay. Cool. Right on.
(02:53):
Yeah. I don't know. That's pretty amazing to me that he's willing to do that.
Because if you think about it, you've got to know there's a lot more stories out there like his
that just aren't being shared, even from security experts. There have been a couple others.
Cory Doctorow is another one that he has shared some, and he's a tech guy too. Not quite like
(03:18):
Troy. But anyway, and I get it. It's embarrassing or can feel embarrassing anyway, and that's
why I'm grateful. Because by sharing his story, he lets other people learn from his
suffering, basically. Right. From his mistake, he was able to help others.
(03:42):
Yeah. Well, and we're doing a podcast episode about it. We're going to learn some things.
But the other thing is, hopefully anyway, it will make it easier for the rest of us
to admit when we do make a mistake for our listeners. Yeah.
Right. Because if it happened to Troy Hunt, it can happen to anyone, basically, in my book.
(04:06):
Well, this isn't something that we should be ashamed of. That's the problem, right? We create
such a taboo secrecy around this, like, oh, you got scammed. But the reality is that it should be
like, oh, dude, you got scammed. I'm sorry. What happened? What happened? How did this happen?
(04:33):
Again, we've talked about it in the past. My sister shared a scam alert with me, and I was
about to get scammed. It was as clear as day. Couldn't have been any clearer. The more we open
up about stuff like this, and the more we're willing to admit, hey, look, yes, it happened
(04:53):
to me. Okay, dude, have a little empathy. That sucks, because obviously we don't want it to happen
to anybody. But at the same time, thank you, Troy. Shout out to Troy. Thank you for sharing your story
with us. And for those that are willing to open up about what's really going on here, you know,
(05:18):
instead of just putting up that false facade, right? Yeah. Yeah. Yeah, no, thank you for
expanding on that, because that's exactly, you know, that's really kind of the theme of this
episode, is, you know, in the forum, I named it a safe place, because one of the main goals,
you know, on the forum, on the podcast, everything we do is to create a safe place for people to
(05:44):
admit their mistakes, to learn things that they don't know. And so, you know, I'm grateful also
to the people like your sister and others who have shared some of their stories where they've,
I guess your sister was helping you, but anyway, where people have shared their stories,
because then I can take those things that I learned from them, and then pass it on to other people,
(06:09):
you know, just like with Troy. So, yeah, anyway. So, I guess the other thing I want to say is,
as I was building this episode, and you're going to laugh, but, you know, I ran into a problem,
it got too long. So, we split it into two. So, this is short for one to two, just a little,
(06:32):
you know, just two part series. But so, the breakdown is going to be like this,
and part one, we're going to look kind of at the big picture. Okay. You know, we'll introduce you
to Troy and his website, and kind of go through the story, and then some big picture, as I call
them, lessons. And then in part two, we'll zoom in on just a few of the specific details.
(06:58):
We're not going to go through every layer, because I was looking at that at first,
that was the approach, and it was going to be like another, you know, 10 episodes or whatever.
I just want to do one more on this one. So, I just took a tiny little snippet. We're going to
call it a couple layers of protection against this one aspect, and the idea is some layers
of protection that our listeners can use against phishing emails, and ones that this story in
(07:25):
really stuck out, were highlighted to me. Yeah. Yeah. Let's go, man. I'm ready to hear who this
guy is. Yeah. So, he teaches technology professionals about security. Okay. Not
(07:45):
like us, obviously. Our target is, you know, non-techies, right? Right. And many people,
including myself, know him best for his website, and this is a total geek website,
but we talked about it once, a long time ago, on the podcast. It's called, Have I Been Pwned?
Yeah. Right. Okay. I wasn't sure if you remember. It was a long time ago, but,
(08:10):
you know, that- I mispronounced it.
Oh. That's why I recall it. Yeah. Okay. Right. Well, it's kind of goofy. I mean, right. It's,
you know, right. We explained it, I think, right? It's owned,
but with that O replaced with a P. It's, I mean, total geekness. Right. Right. But, you know,
(08:31):
it has basically the same slang meaning of, I own you, you know? Yeah. Defeats somebody in a
competition, but at least usually related to, you know, computers, and, you know, like video games,
common, you know, but computer security as well, obviously. Okay. Okay. And so the website,
(08:51):
the service it provides is you can put in your email address or a password to see if that email
address or password has been pwned. Meaning, has it been revealed to the world, you know,
in a data breach? Because his website, yeah, I think we initially covered it when we talked
(09:12):
about data breaches a bunch, because on his website, he has listing of data breaches. He
compiles data from all the big data breaches. So that you can do that lookup. And there are a lot
of tools that actually rely on his website for that, because he provides that data.
Wow. So yeah, it's a great little website. And actually, ironically enough, so his story ended
(09:36):
up in a data breach of some of his own data. And so it's on his own data breaches on his website.
You know, that's hilarious. Yeah, it is. It's funny. You go look is they, you know,
Troy Hunt's data breach email list data breach anyway. So it was Yeah. So okay, so now the story
(09:58):
of what happened to Troy. He had been traveling, as he does, like he travels around the world
speaking at events. Okay. He was super tired, jet lagged. And, you know, it was in this state
of mind that he checked his email. Yeah, you kind of see where that's going. Right. So I'm
(10:22):
going to read just a couple quotes. One quote now from him. He says, I've received a gazillion
similar fishes before that I've identified early. So what was different about this one?
Tiredness was a major factor. I wasn't alert enough. I didn't properly think through what
I was doing. The attacker had no way of knowing that. I don't have any reason to suspect that
(10:43):
this was targeted specifically at me. But we all have moments of weakness. And if the fish
times just perfectly with that, well, here we are. Yeah. So he received a phishing email,
pretending to be from a company called MailChimp. Okay, now, MailChimp is a real company. And Troy
(11:09):
actually does have an account with them, as you might imagine, right? He uses MailChimp to send
out his email newsletter. And the email basically said that his sending privileges were restricted.
And he wasn't going to be able to send out his email newsletter like he usually does.
Now, here's the thing, that's a very plausible thing to have happen. Because when you're sending
(11:32):
out newsletters, all sorts of things can happen. Red flags can be raised, because they're trying
to prevent spammers, and phishing and all sorts of, you know, nefarious stuff. And so it's 100%
plausible. It's happened. I mean, I have email lists and stuff. It happens. It happens to anybody
who has an email list for any amount of time, it's going to happen. So it's 100% plausible.
(11:54):
So here's my second quote from Troy about it. He says, reading it again now, that's a very well
crafted fish. It socially engineered me into believing I wouldn't be able to send out my
newsletter. So it triggered fear. But, and this is really important, it wasn't all bells and whistles
about something terrible happening if I didn't take immediate action. It created just the right
(12:18):
amount of urgency without being over the top. Yeah. Right. Because it's when they get carried
away, and then you're like, okay, of course, it's just, it's stupid. It's easy to catch your brain.
Right. So anyway, next, he clicked on the link in his email, which is fine. Again, one more step,
(12:41):
nothing bad yet. But then he went to log into his account with his password manager,
1Password, like we use, and it failed to automatically log him in.
Because as we know, it was a phishing website, not the real one. It was doing its job.
No, but it didn't. That's the thing what I'm saying. It did its job. It did not log him in.
(13:04):
Right. That's what I meant. 1Password was doing its job. It was keeping it safe.
It wasn't fooled. Right. Yeah. Right. But in his tired state of mind, and because sometimes this
happens, and that's a different topic we're going to get into more later, but he proceeded to
manually copy and paste his username and password from 1Password into his website.
(13:31):
Then it asked for his two-factor authentication token, which he also proceeded to manually enter.
Right. Now, and that's when they got in. The moment he had done that, the hackers had access
to his real MailChimp account, and they downloaded his email list. Now, basically,
(13:57):
at that same moment that it happened with the delay and just kind of all the things his brain
had been processing, he's like, oh, he knew what happened. He knew. He knew. But it was too late
because it was 100% automated, and so the moment they had access to it, boom, it just all happened.
They were able to get in, download his email list, and then he locked them out, but they'd already
(14:18):
had what they need. Yep. Yeah. So any questions, anything unclear in that story that we got too
technical or anything? No, unfortunately. That was the worst part. You're telling me this,
and I'm like, no, 1Password was doing its job. This is me, a non-techie, knowing that, look,
(14:44):
if you click on it and it doesn't work, it's probably because the websites don't match,
and that means it's a phishing website, right? Yeah. Brutal. Yeah. So before we jump into the
lessons, I just want to give a caveat on here is the whole point of this is not to critique
(15:12):
Troy or point fingers at him or be like, oh, whatever, not even to give him advice or anything.
It's really just to kind of embrace that gift that he gave us and just see what we can learn
from it for ourselves for the future. Right. Because I'm sure there's nothing I'm going to
teach you guys that he doesn't already know. It was just he was tired. Right. Just had a moment
(15:37):
of weakness. It can happen to anybody. Yeah. Anyway, I have three lessons that I have. Any
lessons that jump out to you, jump out at you that you want to comment on before we...
Just that it should probably be a red flag if you're using a password manager
(16:01):
and it doesn't like the website, it should probably be a good time to take a moment and pause
and think. That's my thought. Yeah. 100%. Well, and he commented on his post too,
and the thing I'll add there is not only should you pause, but then... So the problem is sometimes
(16:31):
you... Should go direct to the website after that, right? Well, yeah. The problem here is
that the reason why it didn't raise more of a red flag for him, because I know you've experienced
this as well, but sometimes there are multiple places where you use the same username and
password that are totally different domains, totally different websites. And so now most
(16:57):
password managers, definitely one password can handle that, but you have to help them know. So
you'll have to edit your thing in there and make sure that you get both websites associated with
that entry, right? And then it won't stumble on it in the future. And obviously anytime you add
one, you want to be very careful about it, but that's what it should trigger is it should trigger
(17:19):
you looking at it and then deciding, okay, is this actually a separate place that I'm using it at?
Or is it a phishing website? And you want to obviously be really careful about that verification.
But anyway, that's where a big part of the problem comes from is because it's so common these days
to have a username and password that you use at multiple websites that makes that
(17:44):
not as much of a red flag as it would be. Does that make sense? That makes sense. Yeah, that makes sense.
And he showed an example in his blog post about it where he had a different account that
is totally different looking. And it's just, yeah, that's what happens. So lesson number one,
(18:09):
and we won't cover this a lot because you did a real job introducing this at the start, but
is it can happen to anyone. It can happen to a security expert. It's clearly
not just a matter of knowing enough, being smart enough. So if it does happen to you, please don't
(18:29):
be like, I'm so stupid. It doesn't mean you're ignorant or incompetent or
anything else other than just being human. Yeah. And honestly, for me, as important as I've
seen this in the world, that one lesson was enough for me to be excited about making
(18:50):
this episode. There's just way too much shame and blame when it comes to
being a victim of hackers. And just like with most hard things in life, when we
make a mistake in online security, it's really nice to know we're not alone. Right. Yeah. So
(19:15):
lesson number two is the system itself is flawed. If somebody like Troy Hunt,
if a security expert can fall prey to such an attack, to me, the first thing that
really is coming to my mind is not like, what did he do wrong? But what is wrong with the system?
(19:36):
Right. And in this case specifically, it's the email system.
Right. Now, obviously, if you've been listening to us for a while, this is not news, right?
Right. We've talked at length about how bad the email system, but a pretty powerful
reminder. Right. It means we still have work to do, a war to fight. And one of the ways is to
(20:03):
share our stories. And then in the next episode, we'll talk about more detailed layers of
protection. But I'll add this, actually. I don't know if I've told you this, but I have aspirations.
I have a lot of projects. This is one of my favorites. And it's a big one, but I want
(20:25):
to fix our email system. Let's go. Because I got a software developer. I have all that security.
I know how to fix it. Non-trivial, but anyway, I'm excited to do that one day. So,
totally side irrelevant, but I'm excited. So, let's go. Okay. Lesson three.
(20:51):
Phishing attacks are getting stronger. And in the world of online security, I mean,
it's kind of accepted as a truism that attacks almost without fail get stronger over time.
And this is a perfect example. And I would add too, there's still a massive flood of
(21:17):
super poor quality phishing emails that go out. And so, I think that can lull us into
kind of a false sense of security. Yeah.
Because it's a slowly increasing number of well-crafted phishing attacks, but that blend
of all the old crappy ones that are still kicking around, part of our brain just wants to dismiss
(21:41):
the notion of a phishing attack. Right? Right. Right. Honestly.
Yeah. I do. You see the super simple ones, you're like, ah, see, that's a phishing scheme.
So obvious that all of a sudden, then when a well-crafted one comes along, you're like,
(22:05):
yeah. Yeah. Yeah. Yep. And even worse is, this was a well-crafted one, but it wasn't targeted
specifically at Troy. Right? Right. The more targeted generally, we have a correlation with
higher quality. Right? Right. But I mean, this was probably targeted slightly at maybe all the
(22:29):
people that they knew of that might, they thought had an account with MailChimp. So it was like
semi targeted probably. Yeah. But it just kind of gives you an idea of the overall skill level
and capability, I think in large part with AI, the way it's trending anyway, just getting
(22:52):
more and more. So the lesson here, okay, in my mind is the time to take action is now, right?
Because the attacks are going to get stronger over time. We know that. The question is,
are the defenses that we're using, are they getting stronger too?
(23:17):
That's a fair question. Because they can be. I believe we can get ahead, we can stay ahead of
the bad guys. And that's obviously, that's why we're here. Right? That's what we want to do.
But that's kind of the lesson is they're getting stronger. So we need to not wait until we get
(23:37):
compromised. We need to build up our defenses proactively. And then actually I have a bonus
lesson because I did my three, but then as you know, part of my process is after I get my notes
ready, I have Kem review them. Right. And so he had one significant point that he mentioned that
(24:01):
I didn't have in here. So I just, yeah. So in this case, Troy immediately figured out that he
got phished. Yeah. And there's a number of reasons why that is. But in many cases, you may get phished
and not know it for a long time, if ever, right? Especially if you're not a security expert.
(24:30):
Right. Right. And again, so why does this matter? And I don't know, for me, it's basically one more
reason to protect yourself against phishing, because phishing is still the most common attack
out there. Yeah. And like we talked about, there's, you know, tons and tons of, you know,
(24:52):
lousy ones and, you know, millions probably that are failing every day,
but they're still doing it. It's clearly working often enough.
So, you know, keep listening to the podcast, especially next week's episode,
because we're going to talk about some steps to protect yourself against phishing.
(25:16):
And yeah, I think that's all my lessons. Nice. Well, what about our call to action, man?
Well, so this one, I thought a lot about. Here's my call to action.
Okay. I want you to share your story, you know, our listeners, right? Okay. Yeah. If you've been
(25:43):
hacked, scammed, tricked, or just did something stupid, whatever. Yeah. Well, you've been great
about that. You've shared, you know, a number of stories along the way. Yep. And so, but like we
talked about, there's power in this, right? There's power. Absolutely. And so, I mean, that's what I
invite our listeners to do is share that story in any format with anyone you choose. Obviously,
(26:06):
I would love for you to share it with me privately or publicly. Yeah. And if you're willing to
share, you know, really publicly, I'd love to do it here on the podcast. That'd be awesome.
That would be awesome. Listeners out there, if you want to share your story,
throw us a tag. Hit us up real quick. Send us an email. Shout us out on the forum.
(26:32):
Yeah. We'll bring you on the show. Yeah. And so, and this is an open invitation. And this is,
you know, my question that I was at the start about, you know, who we're going to have as a guest.
Yeah. It's not a particular person. This is, you know, kind of a new...
I see what you're doing. Yeah. Because like, so lots of podcasts do guests, right?
(26:55):
Right. You know, and I've thought a lot about what kind of guests do we want? Because that's,
you know, it's a cool thing. It's fun, mixes things up, could be have good value. And this
is the first kind of, you know, category of guests that I want to have on is just anybody.
I mean, it could be a non-techie, it could be a techie, whatever, anybody who has a story about
(27:15):
this that they want to share, they're willing to share with our audience. And, you know, so this
is the start of that, but it's an open invitation and forever. So, you know, and the way I figured
we'd do it is if somebody comes on, you know, we can walk through the story, you know, answer any
questions about it that they have, you know, maybe they don't understand exactly what happened
(27:41):
still or how to protect themselves against it in the future. You know, if I have any advice
for them about the layers of protection that they should get in place to make sure it doesn't
happen again, you know, go over that. Yeah. Anything like that. And so, yeah. And to kick
(28:02):
things off, I'm going to share my own story of, you know, kind of a fail online. Kem is also
going to share his own story. Let's go. And it won't be, you know, next week because we're going
to finish up the second part of today's episode. But then after that, before we dive into our
(28:22):
next big series, we're going to do just a couple one-offs about this. And then, yeah, then we'll
go from there. So, there you go. So, share your story. That's the one-sentence version of the
Call to Action. Share your story. And if you want to get on our podcast, let's hear from you.
(28:47):
Yeah. And we'll tell your story. We'll have you tell your story. Yeah, exactly. Yeah. Let's give
you a platform and a voice to share that, right? Yep. So, other people can learn and benefit. Yeah,
absolutely. Love it. Okay. Well, just as a spoiler since, you know, you've been stealing a lot of my
(29:09):
thunder, man. A lot of it. You know, next week is part two of the Troy Hunt series, you know. So,
we're going to finish that up. We're going to keep that story moving forward. We're going to
zoom in on the details, as Makani said, of his story to get the layers of protection that we need
to identify and how we can layer up our security. So, tune in next week to hear the rest of this
(29:36):
story and how it can benefit you, man. You ready? Are you ready to take action and wondering where
to start? Get my Bulletproof My Identity Starter Kit for free. The seven most vital layers of
protection everyone needs. I'll send you one step at a time and help you if you get stuck. Just go to
(30:05):
bulletproofmyid.com and enter your name and email and I will send you the first step. Again, that's
bulletproofmyid.com.
Welcome to Super Simple Security Principles. I'm Nick Jackson, and I wanna love computers.
(00:07):
They don't love me back. I'm learning how to stay safe online from my good buddy
and master guardian, Makani Mason. Woo! He wrote his first computer program at the age of six,
sealing his fate as a computer geek. That's it. He knows his stuff, folks. Now he spends his time
(00:34):
teaching people like me and you how to stay ahead of the digital threats we face and those bad guys.
He keeps it simple, and we love it. Learn along with me each week. I'll ask the questions
and make sure he keeps it super relevant and super simple for us. If I can do it, you can do it too.
(01:01):
This is episode 62, Even a Security Expert Can Get Phished. Let's go. Here are the questions
we'll be answering today's episode. Who is Troy Hunt? Spoiler, I think he's sub-tech guy.
Maybe not much of a spoiler. I might have left you with more questions. How did he get phished?
(01:25):
My guess is an expert got gamed at what he's preaching, so let's find out.
What are some lessons we can learn from his story?
My guess is we all have bad days, but that kind of scares me as security.
Who will we be inviting as a guest to the podcast? We're inviting a guest?
(01:50):
Let's go. This is a trick one, but you'll see. I think you'll like it.
Okay. All right. Well, where do we start, man? I'm kind of excited. Who is this Troy Hunt dude?
(02:10):
Yeah. We'll get into that. There's just a little bit of introduction I want to start with before,
but that's definitely on the list. We want to give you just a brief introduction to Troy Hunt.
Okay. Perfect. Let's hear it.
Absolutely. But the first thing I want to just say about him is, obviously, he's a security
expert, right? He does. He teaches online security. He goes around and gives talks.
(02:31):
He publishes things. He has some tools online. He deals with us all the time.
But the thing I really like about him in this was he was humble enough and gracious enough
to share all the little details with us. Okay. Okay. Cool. Right on.
(02:53):
Yeah. I don't know. That's pretty amazing to me that he's willing to do that.
Because if you think about it, you've got to know there's a lot more stories out there like his
that just aren't being shared, even from security experts. There have been a couple others.
Cory Doctorow is another one that he has shared some, and he's a tech guy too. Not quite like
(03:18):
Troy. But anyway, and I get it. It's embarrassing or can feel embarrassing anyway, and that's
why I'm grateful. Because by sharing his story, he lets other people learn from his
suffering, basically. Right. From his mistake, he was able to help others.
(03:42):
Yeah. Well, and we're doing a podcast episode about it. We're going to learn some things.
But the other thing is, hopefully anyway, it will make it easier for the rest of us
to admit when we do make a mistake for our listeners. Yeah.
Right. Because if it happened to Troy Hunt, it can happen to anyone, basically, in my book.
(04:06):
Well, this isn't something that we should be ashamed of. That's the problem, right? We create
such a taboo secrecy around this, like, oh, you got scammed. But the reality is that it should be
like, oh, dude, you got scammed. I'm sorry. What happened? What happened? How did this happen?
(04:33):
Again, we've talked about it in the past. My sister shared a scam alert with me, and I was
about to get scammed. It was as clear as day. Couldn't have been any clearer. The more we open
up about stuff like this, and the more we're willing to admit, hey, look, yes, it happened
(04:53):
to me. Okay, dude, have a little empathy. That sucks, because obviously we don't want it to happen
to anybody. But at the same time, thank you, Troy. Shout out to Troy. Thank you for sharing your story
with us. And for those that are willing to open up about what's really going on here, you know,
(05:18):
instead of just putting up that false facade, right? Yeah. Yeah. Yeah, no, thank you for
expanding on that, because that's exactly, you know, that's really kind of the theme of this
episode, is, you know, in the forum, I named it a safe place, because one of the main goals,
you know, on the forum, on the podcast, everything we do is to create a safe place for people to
(05:44):
admit their mistakes, to learn things that they don't know. And so, you know, I'm grateful also
to the people like your sister and others who have shared some of their stories where they've,
I guess your sister was helping you, but anyway, where people have shared their stories,
because then I can take those things that I learned from them, and then pass it on to other people,
(06:09):
you know, just like with Troy. So, yeah, anyway. So, I guess the other thing I want to say is,
as I was building this episode, and you're going to laugh, but, you know, I ran into a problem,
it got too long. So, we split it into two. So, this is short for one to two, just a little,
(06:32):
you know, just two part series. But so, the breakdown is going to be like this,
and part one, we're going to look kind of at the big picture. Okay. You know, we'll introduce you
to Troy and his website, and kind of go through the story, and then some big picture, as I call
them, lessons. And then in part two, we'll zoom in on just a few of the specific details.
(06:58):
We're not going to go through every layer, because I was looking at that at first,
that was the approach, and it was going to be like another, you know, 10 episodes or whatever.
I just want to do one more on this one. So, I just took a tiny little snippet. We're going to
call it a couple layers of protection against this one aspect, and the idea is some layers
of protection that our listeners can use against phishing emails, and ones that this story in
(07:25):
really stuck out, were highlighted to me. Yeah. Yeah. Let's go, man. I'm ready to hear who this
guy is. Yeah. So, he teaches technology professionals about security. Okay. Not
(07:45):
like us, obviously. Our target is, you know, non-techies, right? Right. And many people,
including myself, know him best for his website, and this is a total geek website,
but we talked about it once, a long time ago, on the podcast. It's called, Have I Been Pwned?
Yeah. Right. Okay. I wasn't sure if you remember. It was a long time ago, but,
(08:10):
you know, that- I mispronounced it.
Oh. That's why I recall it. Yeah. Okay. Right. Well, it's kind of goofy. I mean, right. It's,
you know, right. We explained it, I think, right? It's owned,
but with that O replaced with a P. It's, I mean, total geekness. Right. Right. But, you know,
(08:31):
it has basically the same slang meaning of, I own you, you know? Yeah. Defeats somebody in a
competition, but at least usually related to, you know, computers, and, you know, like video games,
common, you know, but computer security as well, obviously. Okay. Okay. And so the website,
(08:51):
the service it provides is you can put in your email address or a password to see if that email
address or password has been pwned. Meaning, has it been revealed to the world, you know,
in a data breach? Because his website, yeah, I think we initially covered it when we talked
(09:12):
about data breaches a bunch, because on his website, he has listing of data breaches. He
compiles data from all the big data breaches. So that you can do that lookup. And there are a lot
of tools that actually rely on his website for that, because he provides that data.
Wow. So yeah, it's a great little website. And actually, ironically enough, so his story ended
(09:36):
up in a data breach of some of his own data. And so it's on his own data breaches on his website.
You know, that's hilarious. Yeah, it is. It's funny. You go look is they, you know,
Troy Hunt's data breach email list data breach anyway. So it was Yeah. So okay, so now the story
(09:58):
of what happened to Troy. He had been traveling, as he does, like he travels around the world
speaking at events. Okay. He was super tired, jet lagged. And, you know, it was in this state
of mind that he checked his email. Yeah, you kind of see where that's going. Right. So I'm
(10:22):
going to read just a couple quotes. One quote now from him. He says, I've received a gazillion
similar fishes before that I've identified early. So what was different about this one?
Tiredness was a major factor. I wasn't alert enough. I didn't properly think through what
I was doing. The attacker had no way of knowing that. I don't have any reason to suspect that
(10:43):
this was targeted specifically at me. But we all have moments of weakness. And if the fish
times just perfectly with that, well, here we are. Yeah. So he received a phishing email,
pretending to be from a company called MailChimp. Okay, now, MailChimp is a real company. And Troy
(11:09):
actually does have an account with them, as you might imagine, right? He uses MailChimp to send
out his email newsletter. And the email basically said that his sending privileges were restricted.
And he wasn't going to be able to send out his email newsletter like he usually does.
Now, here's the thing, that's a very plausible thing to have happen. Because when you're sending
(11:32):
out newsletters, all sorts of things can happen. Red flags can be raised, because they're trying
to prevent spammers, and phishing and all sorts of, you know, nefarious stuff. And so it's 100%
plausible. It's happened. I mean, I have email lists and stuff. It happens. It happens to anybody
who has an email list for any amount of time, it's going to happen. So it's 100% plausible.
(11:54):
So here's my second quote from Troy about it. He says, reading it again now, that's a very well
crafted fish. It socially engineered me into believing I wouldn't be able to send out my
newsletter. So it triggered fear. But, and this is really important, it wasn't all bells and whistles
about something terrible happening if I didn't take immediate action. It created just the right
(12:18):
amount of urgency without being over the top. Yeah. Right. Because it's when they get carried
away, and then you're like, okay, of course, it's just, it's stupid. It's easy to catch your brain.
Right. So anyway, next, he clicked on the link in his email, which is fine. Again, one more step,
(12:41):
nothing bad yet. But then he went to log into his account with his password manager,
1Password, like we use, and it failed to automatically log him in.
Because as we know, it was a phishing website, not the real one. It was doing its job.
No, but it didn't. That's the thing what I'm saying. It did its job. It did not log him in.
(13:04):
Right. That's what I meant. 1Password was doing its job. It was keeping it safe.
It wasn't fooled. Right. Yeah. Right. But in his tired state of mind, and because sometimes this
happens, and that's a different topic we're going to get into more later, but he proceeded to
manually copy and paste his username and password from 1Password into his website.
(13:31):
Then it asked for his two-factor authentication token, which he also proceeded to manually enter.
Right. Now, and that's when they got in. The moment he had done that, the hackers had access
to his real MailChimp account, and they downloaded his email list. Now, basically,
(13:57):
at that same moment that it happened with the delay and just kind of all the things his brain
had been processing, he's like, oh, he knew what happened. He knew. He knew. But it was too late
because it was 100% automated, and so the moment they had access to it, boom, it just all happened.
They were able to get in, download his email list, and then he locked them out, but they'd already
(14:18):
had what they need. Yep. Yeah. So any questions, anything unclear in that story that we got too
technical or anything? No, unfortunately. That was the worst part. You're telling me this,
and I'm like, no, 1Password was doing its job. This is me, a non-techie, knowing that, look,
(14:44):
if you click on it and it doesn't work, it's probably because the websites don't match,
and that means it's a phishing website, right? Yeah. Brutal. Yeah. So before we jump into the
lessons, I just want to give a caveat on here is the whole point of this is not to critique
(15:12):
Troy or point fingers at him or be like, oh, whatever, not even to give him advice or anything.
It's really just to kind of embrace that gift that he gave us and just see what we can learn
from it for ourselves for the future. Right. Because I'm sure there's nothing I'm going to
teach you guys that he doesn't already know. It was just he was tired. Right. Just had a moment
(15:37):
of weakness. It can happen to anybody. Yeah. Anyway, I have three lessons that I have. Any
lessons that jump out to you, jump out at you that you want to comment on before we...
Just that it should probably be a red flag if you're using a password manager
(16:01):
and it doesn't like the website, it should probably be a good time to take a moment and pause
and think. That's my thought. Yeah. 100%. Well, and he commented on his post too,
and the thing I'll add there is not only should you pause, but then... So the problem is sometimes
(16:31):
you... Should go direct to the website after that, right? Well, yeah. The problem here is
that the reason why it didn't raise more of a red flag for him, because I know you've experienced
this as well, but sometimes there are multiple places where you use the same username and
password that are totally different domains, totally different websites. And so now most
(16:57):
password managers, definitely one password can handle that, but you have to help them know. So
you'll have to edit your thing in there and make sure that you get both websites associated with
that entry, right? And then it won't stumble on it in the future. And obviously anytime you add
one, you want to be very careful about it, but that's what it should trigger is it should trigger
(17:19):
you looking at it and then deciding, okay, is this actually a separate place that I'm using it at?
Or is it a phishing website? And you want to obviously be really careful about that verification.
But anyway, that's where a big part of the problem comes from is because it's so common these days
to have a username and password that you use at multiple websites that makes that
(17:44):
not as much of a red flag as it would be. Does that make sense? That makes sense. Yeah, that makes sense.
And he showed an example in his blog post about it where he had a different account that
is totally different looking. And it's just, yeah, that's what happens. So lesson number one,
(18:09):
and we won't cover this a lot because you did a real job introducing this at the start, but
is it can happen to anyone. It can happen to a security expert. It's clearly
not just a matter of knowing enough, being smart enough. So if it does happen to you, please don't
(18:29):
be like, I'm so stupid. It doesn't mean you're ignorant or incompetent or
anything else other than just being human. Yeah. And honestly, for me, as important as I've
seen this in the world, that one lesson was enough for me to be excited about making
(18:50):
this episode. There's just way too much shame and blame when it comes to
being a victim of hackers. And just like with most hard things in life, when we
make a mistake in online security, it's really nice to know we're not alone. Right. Yeah. So
(19:15):
lesson number two is the system itself is flawed. If somebody like Troy Hunt,
if a security expert can fall prey to such an attack, to me, the first thing that
really is coming to my mind is not like, what did he do wrong? But what is wrong with the system?
(19:36):
Right. And in this case specifically, it's the email system.
Right. Now, obviously, if you've been listening to us for a while, this is not news, right?
Right. We've talked at length about how bad the email system, but a pretty powerful
reminder. Right. It means we still have work to do, a war to fight. And one of the ways is to
(20:03):
share our stories. And then in the next episode, we'll talk about more detailed layers of
protection. But I'll add this, actually. I don't know if I've told you this, but I have aspirations.
I have a lot of projects. This is one of my favorites. And it's a big one, but I want
(20:25):
to fix our email system. Let's go. Because I got a software developer. I have all that security.
I know how to fix it. Non-trivial, but anyway, I'm excited to do that one day. So,
totally side irrelevant, but I'm excited. So, let's go. Okay. Lesson three.
(20:51):
Phishing attacks are getting stronger. And in the world of online security, I mean,
it's kind of accepted as a truism that attacks almost without fail get stronger over time.
And this is a perfect example. And I would add too, there's still a massive flood of
(21:17):
super poor quality phishing emails that go out. And so, I think that can lull us into
kind of a false sense of security. Yeah.
Because it's a slowly increasing number of well-crafted phishing attacks, but that blend
of all the old crappy ones that are still kicking around, part of our brain just wants to dismiss
(21:41):
the notion of a phishing attack. Right? Right. Right. Honestly.
Yeah. I do. You see the super simple ones, you're like, ah, see, that's a phishing scheme.
So obvious that all of a sudden, then when a well-crafted one comes along, you're like,
(22:05):
yeah. Yeah. Yeah. Yep. And even worse is, this was a well-crafted one, but it wasn't targeted
specifically at Troy. Right? Right. The more targeted generally, we have a correlation with
higher quality. Right? Right. But I mean, this was probably targeted slightly at maybe all the
(22:29):
people that they knew of that might, they thought had an account with MailChimp. So it was like
semi targeted probably. Yeah. But it just kind of gives you an idea of the overall skill level
and capability, I think in large part with AI, the way it's trending anyway, just getting
(22:52):
more and more. So the lesson here, okay, in my mind is the time to take action is now, right?
Because the attacks are going to get stronger over time. We know that. The question is,
are the defenses that we're using, are they getting stronger too?
(23:17):
That's a fair question. Because they can be. I believe we can get ahead, we can stay ahead of
the bad guys. And that's obviously, that's why we're here. Right? That's what we want to do.
But that's kind of the lesson is they're getting stronger. So we need to not wait until we get
(23:37):
compromised. We need to build up our defenses proactively. And then actually I have a bonus
lesson because I did my three, but then as you know, part of my process is after I get my notes
ready, I have Kem review them. Right. And so he had one significant point that he mentioned that
(24:01):
I didn't have in here. So I just, yeah. So in this case, Troy immediately figured out that he
got phished. Yeah. And there's a number of reasons why that is. But in many cases, you may get phished
and not know it for a long time, if ever, right? Especially if you're not a security expert.
(24:30):
Right. Right. And again, so why does this matter? And I don't know, for me, it's basically one more
reason to protect yourself against phishing, because phishing is still the most common attack
out there. Yeah. And like we talked about, there's, you know, tons and tons of, you know,
(24:52):
lousy ones and, you know, millions probably that are failing every day,
but they're still doing it. It's clearly working often enough.
So, you know, keep listening to the podcast, especially next week's episode,
because we're going to talk about some steps to protect yourself against phishing.
(25:16):
And yeah, I think that's all my lessons. Nice. Well, what about our call to action, man?
Well, so this one, I thought a lot about. Here's my call to action.
Okay. I want you to share your story, you know, our listeners, right? Okay. Yeah. If you've been
(25:43):
hacked, scammed, tricked, or just did something stupid, whatever. Yeah. Well, you've been great
about that. You've shared, you know, a number of stories along the way. Yep. And so, but like we
talked about, there's power in this, right? There's power. Absolutely. And so, I mean, that's what I
invite our listeners to do is share that story in any format with anyone you choose. Obviously,
(26:06):
I would love for you to share it with me privately or publicly. Yeah. And if you're willing to
share, you know, really publicly, I'd love to do it here on the podcast. That'd be awesome.
That would be awesome. Listeners out there, if you want to share your story,
throw us a tag. Hit us up real quick. Send us an email. Shout us out on the forum.
(26:32):
Yeah. We'll bring you on the show. Yeah. And so, and this is an open invitation. And this is,
you know, my question that I was at the start about, you know, who we're going to have as a guest.
Yeah. It's not a particular person. This is, you know, kind of a new...
I see what you're doing. Yeah. Because like, so lots of podcasts do guests, right?
(26:55):
Right. You know, and I've thought a lot about what kind of guests do we want? Because that's,
you know, it's a cool thing. It's fun, mixes things up, could be have good value. And this
is the first kind of, you know, category of guests that I want to have on is just anybody.
I mean, it could be a non-techie, it could be a techie, whatever, anybody who has a story about
(27:15):
this that they want to share, they're willing to share with our audience. And, you know, so this
is the start of that, but it's an open invitation and forever. So, you know, and the way I figured
we'd do it is if somebody comes on, you know, we can walk through the story, you know, answer any
questions about it that they have, you know, maybe they don't understand exactly what happened
(27:41):
still or how to protect themselves against it in the future. You know, if I have any advice
for them about the layers of protection that they should get in place to make sure it doesn't
happen again, you know, go over that. Yeah. Anything like that. And so, yeah. And to kick
(28:02):
things off, I'm going to share my own story of, you know, kind of a fail online. Kem is also
going to share his own story. Let's go. And it won't be, you know, next week because we're going
to finish up the second part of today's episode. But then after that, before we dive into our
(28:22):
next big series, we're going to do just a couple one-offs about this. And then, yeah, then we'll
go from there. So, there you go. So, share your story. That's the one-sentence version of the
Call to Action. Share your story. And if you want to get on our podcast, let's hear from you.
(28:47):
Yeah. And we'll tell your story. We'll have you tell your story. Yeah, exactly. Yeah. Let's give
you a platform and a voice to share that, right? Yep. So, other people can learn and benefit. Yeah,
absolutely. Love it. Okay. Well, just as a spoiler since, you know, you've been stealing a lot of my
(29:09):
thunder, man. A lot of it. You know, next week is part two of the Troy Hunt series, you know. So,
we're going to finish that up. We're going to keep that story moving forward. We're going to
zoom in on the details, as Makani said, of his story to get the layers of protection that we need
to identify and how we can layer up our security. So, tune in next week to hear the rest of this
(29:36):
story and how it can benefit you, man. You ready? Are you ready to take action and wondering where
to start? Get my Bulletproof My Identity Starter Kit for free. The seven most vital layers of
protection everyone needs. I'll send you one step at a time and help you if you get stuck. Just go to
(30:05):
bulletproofmyid.com and enter your name and email and I will send you the first step. Again, that's
bulletproofmyid.com.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com