왜 Substack은 데이터 유출에 대해 공식 성명을 내놓지 않았을까
Source: Hacker News
Overview
뉴스레터 플랫폼 Substack은 사용자에게 보낸 이메일에서 데이터 유출을 확인했습니다. 10월에 “권한이 없는 제3자”가 이메일 주소, 전화번호 및 기타 명시되지 않은 내부 메타데이터를 포함한 사용자 데이터에 접근했습니다. 신용카드 번호, 비밀번호 및 기타 재무 정보와 같은 더 민감한 데이터는 영향을 받지 않았습니다.
Details of the breach
- Date of incident: October (unauthorized access)
- Discovery: February, when Substack identified the issue that allowed someone to access its systems.
- Data accessed: Email addresses, phone numbers, and internal metadata. No evidence that credit‑card numbers, passwords, or other financial information were compromised.
The exact nature of the system vulnerability and the full scope of the accessed data remain unclear. It is also unknown why the breach went undetected for five months or whether the attackers demanded a ransom.
Company response
Substack’s chief executive, Chris Best, sent an email to users stating:
“I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission. I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”
Key points from the response:
- The issue has been fixed, and an investigation is underway.
- Substack has no evidence that the compromised data is being misused.
- Users were advised to exercise caution with emails and texts, though no specific indicators were provided.
Impact and next steps
- Number of affected users: Not disclosed.
- Evidence of abuse: Substack reported no signs of misuse but did not detail the technical methods (e.g., log analysis) used to reach this conclusion.
- User guidance: General caution advised; no concrete remediation steps were outlined.
TechCrunch has reached out for additional details and will update the story if more information becomes available.
Background on Substack
- Substack reports more than 50 million active subscriptions, including 5 million paid subscriptions—a milestone it reached last March (source).
- In July 2025, the company raised $100 million in Series C funding led by BOND and The Chernin Group, with participation from a16z, Klutch Sports Group CEO Rich Paul, and Skims co‑founder Jens Grede (TechCrunch article).