Substack confirms data breach exposing user emails and phone numbers
What's the story
Substack, a popular newsletter platform, has confirmed a data breach that exposed user information. The company revealed in an email to users that an "unauthorized third party" gained access to their data in October last year. The compromised information includes email addresses, phone numbers, and other internal metadata. However, Substack clarified that more sensitive details like credit card numbers and passwords were not affected by the breach.
Apology issued
A vulnerability was discovered this month
Substack CEO Chris Best addressed the security incident in an email to users. He said that the company discovered a vulnerability in February that allowed unauthorized access to its systems. "I am reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission," Best wrote.
Commitment made
We came up short here, said Best
Best assured users that Substack has fixed the vulnerability and launched an investigation into the matter. He expressed regret over the incident, saying, "I'm incredibly sorry this happened." The CEO also emphasized their commitment to data protection and privacy, adding they "came up short here." However, details about the exact nature of the system flaw or how it went undetected for five months remain unclear.
User caution
Users advised to be cautious of phishing attempts
Substack has not disclosed how many users were affected by the breach. The company said it has no evidence of user data being misused but didn't specify what technical measures it used to detect potential abuse. In light of this incident, Substack has advised its users to be wary of emails and texts without any specific indicators or guidance.