Substack apologises for October breach that exposed email addresses and phone numbers

Popular publishing and blogging platform Substack has apologised to users worldwide after a significant data breach in October exposed their email addresses and phone numbers online.

 

Chris Best, the chief executive officer of Substack, sent an email to the subscriber community on February 5, stating that the security incident involved an unauthorised third party accessing subscribers’ email addresses, phone numbers and other metadata.

 

Best did not reveal if the unauthorised third party exfiltrated the data or published it elsewhere, but said the security incident occurred sometime in October but was discovered on February 3. 

 

"We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future," Best said.

 

He added that the unauthorised access did not expose subscribers’ financial information, passwords or credit card numbers, but warned subscribers against unsolicited emails or messages sent by individuals who may misuse their information to commit fraud. 

 

"This sucks. I’m sorry. We will work very hard to make sure it does not happen again," Best added.

 

According to Troy Hunt, the founder of breach database Have I Been Pwned?, the security incident at Substack exposed about 663,000 data records, including email addresses, some phone numbers and publicly visible information such as publication names and bios.     

 

Substack presently boasts more than 50 million monthly active subscribers, including over 5 million paid subscribers, and is the preferred blogging and publishing platform for writers, podcasters, videomakers, musicians, scientists and creators worldwide.