Substack CEO apologises for security breach affecting personal data

Breach undetected for five months

Substack has confirmed a significant data breach that exposed user information, but questions remain about the scale of the breach, and why it remained undetected for five months.

Digital publishing platform Substack has confirmed a data breach in an email to affected account holders. The company said that in October, an “unauthorized third party” accessed user data, including email addresses, phone numbers, and “internal metadata.”

Substack has specified that personal financial data like credit card numbers and other sensitive data such as passwords were not breached.

Substack CEO Chris Best emailed affected users, acknowledging that email addresses had been shared without permission and offering an apology.

The email confirmed that the incident was identified a few days ago, but that the actual breach occurred in October. Best said that Substack has now fixed the issue and started investigating.

Best’s email was frank, but a great deal remains unknown about the scale of this incident. The company has not shared how many users have had their data shared, why it took five months to identify the breach, whether hackers have been demanding ransoms and what exactly “internal metadata” refers to.

Commenting on the breach, Trevor Dearing, Director of Critical Infrastructure at Illumio, picked up on the latter point.

“Substack forums act as central hubs for various communities, particularly within the technology industry, making it a natural target for cybercriminals,” he said.

“At this stage, investigations need to establish the extent of any potential lateral movement during such a prolonged period of undetected access. The theft of user data and internal metadata can enable attackers to conduct reconnaissance, track individuals, and steal credentials. Internal metadata often escapes security scrutiny because it is embedded in familiar files, such as documents, or generated by internal infrastructure.”

Substack has fallen back on the standard post breach discover communications tactic which is to say that it doesn’t have any evidence that users’ data is being misused presently but urged users to take a cautious approach to emails and text messaging.

Trevor Dearing pointed out how the use of AI in cyberattacks is going to force platforms like Substack, which has 50 million subscribers, to up their game because of the inevitability of attack.

“This example highlights how broken current cybersecurity approaches are as AI will accelerate and increase these attacks, making it essential to assume they’ll happen and plan ahead to limit the impact. Building resilience, improving visibility, and ensuring there are controls to prevent attackers from moving through or exfiltrating data from a network are all key to reducing harm."