- A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
- Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
- Hunt has detailed the attack and warned his subscribers in a timely fashion.
You must log in or register to comment.
TIL: Nobody is perfect
glares in the general direction of the White House
…did you think there were perfect people in the White House before this? Or at any point in your life? Haha
(Maybe as a child would that make sense…)
Teddy Roosevelt was pretty chill. He’s surely not perfect, but he’s pretty okay in my book.
I’m a Jimmy Carter man, myself.
Pobody’s Nerfect
You live and you learn it
Only just today?
Solving the “being human” part of security will probably never happen, which is why you’re encouraged to do stuff like use 2FA, different passwords, service isolation and stuff like that.
Anyone and everyone can be fooled at some point, best to try and limit the damage.
Exactly. Put as many obstacles as possible into the path of scammers, and give yourself as many chances as possible to stop said scammers, and all without making services too annoying to use.
MFA + password manager seems to work well.
FIDO2 and security keys are the closest things we have to a solution. Unfortunately far too few companies support them. It would have saved him here because each credential only works with the proper URL for it.
I’m not just the owner, I’m also a member!
Thats why we have RSS feeds. Thats how I follow Troy
Don’t password managers verify the domain name before offering credentials?
Does that mean he doesn’t use a password manager?
Edit: RIP, now that’s a proper phishing. I understand where he’s coming from
This was mentioned in the write-up, the password manager didn’t autofill, but he was too out of it to notice at first
Depends… if you use an offline password manager ( like keepass), you can ask it to autotype your credentials into anything… if that’s what you ask it to do (ie it’s not a fault)
Main point though: don’t reuse the same credentials across different sites.
They’ll get 1 site, but not all the rest of them…
Not everyone uses a browser extension for their password manager.
Why is there a comma in the, title?
It indicates a pause, and a separation of the two objects in the sentence. It is a subtly different sentence than “Have I been Pwned owner Pwned”, and is clearer with greater emphasis on what happened.
wouldn’t it be clearer with
-
“Have I Been Pwned” owner pwned.
-
Owner of “Have I Been Pwned” pwned.
?
I’d argue that the original is clearer and more fun than these, but style is subjective.
-
It feels awkward to me. I don’t think it’s grammatically correct. To me, it doesn’t add any clarity, especially when the comma could’ve been the word “got” or something, lol
Headlines are generally pretty flexible with grammar, because a good headline is supposed to be terse.
I think it’s fine.
I think a professional headline would usually just lack the comma there. Headlines typically have weird phrasing (due to their terseness), but they’re generally still grammatically sound.
I think “HackerNews owner hacked” would be a headline, rather than “HackerNews owner, hacked”.
“Have I Been Pwned owner pwned” seems to be on par with “Headline English” to me
