… but not with good news.
I’m reaching out to let you know about a security incident that resulted in the email address from your Substack account being shared without your permission.
I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.
What happened. On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata. This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed.
What we are doing. We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future.
What you can do. We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails you receive that may be suspicious.
This sucks. I’m sorry. We will work very hard to make sure it does not happen again.
This is one of the reasons I use a different email forevery service I sign up for - so if that email does find its way into unauthorised hands - it is obvious. (So far so good).
Identified on Feb 3rd - EMail sent Feb 5th - good
BUT - this data was accessed in October 2025.
So what was going on in October, November, December, January and into February where it was not spotted?
Who dropped the ball?