Substack Just Accidentally Revealed Email Addresses of Tons of Users

Substack Just Accidentally Revealed Email Addresses of Tons of Users
Screenshot: Substack, Fair Use

Oh god: Someone at Substack accidentally sent out an email blast exposing the email addresses of numerous users.

Substack is a subscription newsletter service that has recently won a lot of positive publicity for providing a home for journalists and others to build independent audiences in an era defined by mass layoffs in media. So it could be accurately stated that correctly managing email is their entire business. Unfortunately, the account sent out updated terms of use, publisher agreement, and privacy policy on Tuesday evening using the CC field (the one that shows the email addresses of everyone on a thread) instead of the BCC field (the one that, you know… doesn’t do that).

It’s not clear whether the users who received CCs instead of BCCs fall into a particular group or how many there were, but one of the email chains forwarded to Gizmodo contained 500 email addresses starting with the letter H to partway through the K’s. Another contained a similar deluge of emails including ones appearing to belong to Amazon CEO and world’s richest man Jeff Bezos, celebrity entrepreneur Mark Cuban, venture capitalist Peter Thiel, Sun Microsystems co-founder Vinod Khosla, civil rights activist Deray Mckesson, Snapchat CEO Evan Spiegel, Twilio CEO Jeff Lawson, and Getaround founder Jessica Scorpio.

All of those email addresses appear to be work accounts. Many, but not all, of them also appear to already be public knowledge. It is also entirely possible that some of the recipients were signed up for Substack by someone else, and the service allows sign-ups without email verification. (The email Bezos may have used to sign up for Substack pulled up just two results on Google from a lead generation service, and hasn’t been posted to Twitter, but it’s not exactly a stumper. Bezos is also well known for encouraging people to email him personally at public-facing addresses, so it’s not like it’s a huge secret either.)

One of the email chains forwarded to Gizmodo, email addresses redacted. (Screenshot: Gizmodo)One of the email chains forwarded to Gizmodo, email addresses redacted. (Screenshot: Gizmodo)

Knowing someone’s email address obviously does not directly compromise the security of the account — but it does potentially expose that account to things like phishing attempts, malware, spam, threats, and break-in attempts using any shared passwords that may have been revealed in prior data breaches. That said, there is virtually no way to avoid automated email harvesting, even if the email address in question was never publicly posted or somehow managed to avoid being included in a data breach.

There’s also the issue that Substack has now created an unknown number of email threads that hundreds of people can and will reply to, possibly triggering what’s been referred to as a Reply Allpocalypse. So, uh, good luck with that.

In a statement on Twitter, Substack wrote it simply made a huge mistake that it managed to correct after the “first batch” of emails went out. It also said only a “small percentage” of users were included.

“While we caught the error early, it was too late to retract that first batch. We are so sorry this happened — and we are aware of the irony,” the company added. “This was a genuine mistake, we feel terrible about it, and we will do everything in our power to never repeat it.”

Gizmodo has reached out to Substack for comment, and we’ll update if we hear back.