Security Fatigue Is Real — Even for the Experts

Security Fatigue Is Real — Even for the Experts

A Wake-Up Call from Troy Hunt’s Phishing Incident

Even the most seasoned cybersecurity professionals can fall for a phishing scam — especially when tired, rushed, or distracted. In a recent real-world case, renowned security expert Troy Hunt, founder of Have I Been Pwned, had his Mailchimp account compromised by a cleverly timed phishing attack.

This incident isn’t just a cautionary tale — it’s a powerful reminder that human factors matter, and that our defenses must include technologies that protect us even when we slip. Kudos to Troy for candidly sharing this incident with the world so we can all learn very important lessons about security fatigue.

Anatomy of the Attack: When Security Fatigue Strikes

In March 2025, while traveling internationally and managing a newsletter send, Hunt received what looked like a legitimate Mailchimp alert. It warned that his privilege to send emails through Mailchimp was suspended due to a spam complaint. It urged him to click a link to review and resolve the matter. Jet lagged and feeling pressured to get his newsletter published on time, he clicked the link. It took him to a phishing domain (mailchimp-sso.com) that looked identical to the real Mailchimp login page.

Despite a red flag — his 1Password manager didn’t auto-fill his credentials — he manually typed them in. Then came the one-time password (OTP). Once entered, the phishing page froze. Behind the scenes, attackers were already using his credentials and OTP in real time to access his Mailchimp account and exfiltrate his entire mailing list — more than 16,000 email addresses — in minutes.

This breach wasn’t about a lack of skill. It was about timing, fatigue, and how well-crafted phishing exploits our human side.

Lessons in Human Behavior and Tech Defense

Troy Hunt's transparency offers valuable insight for every cybersecurity student and educator. Key takeaways:

• Security fatigue is real: Even experts miss red flags when they’re tired, rushed, or distracted.
• Password managers are smarter than we think: When they don’t auto-fill, that’s a signal to stop and verify.
• Traditional OTPs are not enough: Real-time phishing attacks can relay OTPs instantly, bypassing this form of two-factor authentication.
• Domain deception is getting better: A phishing URL like mailchimp-sso.com can look trustworthy at first glance, especially under pressure.

Why Passkeys and Similar Tech Matters

Here’s the kicker: Troy Hunt was in the UK promoting the use of passkeys when he got phished.

Unlike OTPs and passwords, passkeys cryptographically bind the authentication process to the correct domain. If Hunt had been using passkeys, he later wrote, “the system simply wouldn’t let me authenticate on a phishing domain.” Passkeys replace passwords with a cryptographic key pair - one public, one private. The private key stays on your device (or in your password manager). Your public key is stored with the online service. When you log in, the service sends a challenge that your device signs with the private key, verifying your identity without exposing a password.

When stealthy phishing attempts bypass human smarts — and they will, even for the most skilled — we need phishing-resistant technologies like passkeys to act as safety nets. This is exactly why the cybersecurity community must champion these tools: they provide a crucial failsafe when human judgment falters.

For the Classroom

Ensure cybersecurity students can articulate clear answers to the following questions.

1. How can password managers serve as a second set of eyes?
2. What makes OTPs vulnerable in real-time phishing attacks?
3. In what ways can passkeys change the future of authentication?
4. What role does emotional state play in user security decisions?
5. How can organizations like Mailchimp reduce phishing exposure for users?
6. What are the benefits of publicly disclosing a cyber breach, and how should this be handled?

Also discuss how to:

• Use biometric authentications like fingerprint or facial ID in 2-factor authentication (2FA).
• Set up and use Passkeys.
• Use the increasing list of major websites that use passkeys.
• Protect from malware that lets criminals get around passkeys by stealing users' validated browser cookies.
• Examine the privacy pop-ups from websites to choose a short cookie expiration if the option is available.

Final Takeaways for Cybersecurity Students

Everyone is vulnerable — not just end users. Spear phishing is sophisticated and targets those with a lot to lose. Cyber teams must support these executives and managers with strong tools and training. 

Security fatigue isn't going to disappear. We need layered defenses that don't rely solely on perfect user behavior.

Passkeys, FIDO2, and other phishing-resistant technologies must become standard and ubiquitous.

Breach response matters. Transparency, speed, and ethics in disclosure are critical to maintaining trust and leading by example.

As Washington builds its cybersecurity talent pipeline, we must teach more than just tools — we must prepare for the human realities of the field. The future of cybersecurity depends not only on sharp minds, but on the technologies and practices that protect us from our most human moments.