https://www.brandonpugh.com/tags/security/ Recent content in Security on Brandon Pugh's Blog Hugo -- gohugo.io en Mon, 01 Dec 2025 00:00:00 +0000 https://www.brandonpugh.com/blog/anyone-can-be-scammed/ Tue, 25 Mar 2025 00:00:00 +0000 https://www.brandonpugh.com/blog/anyone-can-be-scammed/ <p>Even Troy Hunt (a well-known security researcher and creator of <a href="https://haveibeenpwned.com/">Have I Been Pwned</a>) fell for a phishing email.<br> He wrote all about it on his blog: <a href="https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/">A Sneaky Phish Just Grabbed my Mailchimp Mailing List</a></p> <p>I found it a valuable read, not only for the lessons learned, but it&rsquo;s also a reminder that it could have happened to any of us. The email looks fairly well crafted and I appreciated his analysis of the factors that led to him falling victim. It&rsquo;s important to remember that even the most security-minded people can make mistakes and that security is hard.</p> <p>Honestly the most frustrating part of the story is the fact that Mailchimp doesn&rsquo;t delete unsubscribed emails and even worse they give you no way to opt out of that — so a list owner would have to regularly go in an delete them manually&hellip; and why do they store your IP address?? 😡</p> <p>I also thought it was sneaky that they generated an api key on his account. So in addition to updating login credentials remember to check for any recently added api keys.</p> <p>I hadn&rsquo;t thought of this vector before, but it&rsquo;s now one more reason why I prefer subscribing via RSS.</p> <p>P.S. ButtonDown has a nice <a href="https://docs.buttondown.com/subscriber-cleanup">Subscriber cleanup</a> feature.</p> <hr> <p>Thank you for keeping RSS alive. You're awesome.</p> <p><a href="mailto:blogrss@bpugh.dev">Reply by email</a></p> <img src="https://blog.bpugh.workers.dev/cdn/images?p=/blog/anyone-can-be-scammed/feed">