By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post
Substack is one of those platforms that feels personal. You subscribe to newsletters you actually want, you hear directly from the writers you like, and most of the time you don’t expect to get hit with the digital equivalent of finding someone rifled through your junk drawer. But that is exactly what happened with a recent data breach.
Security researchers have confirmed that a data breach exposed email addresses and phone numbers for many Substack users. That means if you have ever signed up for Substack, your contact info might be with someone who shouldn’t have it. The company has verified the breach and says it impacted a database of user data. It is not clear yet how many people were affected, but if you use the service, this is worth paying attention to.
Here is how these things generally work. Data breaches do not always mean someone cracked the Da Vinci Code. Often they mean bad actors got access to a database they should not have, downloaded it, and now are offering that data for sale, or using it to try more scams. In this case, email addresses and phone numbers are the kind of stuff that spammers and phishers love. The newsletter aspect also makes this alluring to scammers.
If you see an unexpected email or text that mentions Substack or a specific newsletter you follow, do not click any links. Phishing is more effective when the attacker already knows something about you. These cyber criminals don’t need your password to cause trouble. All they need is your email or phone number and a clever subject line to get you to respond. That is exactly why this kind of breach matters, it’s the little pieces they can put together into a bigger scam that should worry you.
Cyber Awareness Meme. Courtesy image
What you can do right now: review your subscriptions and make sure you recognize the senders. If you get a message from a newsletter you follow, great. But if you get something that looks like it came from Substack and it feels a little off – weird wording, typos, pressure to act now – treat it like the scam it probably is. Legitimate services do not send messages that try to force you to click something because an external breach might have happened. They send calm, clear notifications with instructions on how to log in and check your settings if you want to. That kind of communication always comes from official accounts and never through random phone numbers or email addresses.
Also consider turning on two factor authentication wherever possible. If Substack offers it and you haven’t enabled it, do that. If another service you use has it, do that too. Two factor authentication adds an extra lock on your account even if an attacker has your email or phone number.
At the end of the day, data breaches have become part of the online experience, but it’s still worth paying attention, and noting who’s been breached. Awareness is your best defense. Know what services you use. Know what normal messages from those services look like. And if something seems weird or pressure-laden, take a breath and double check before you interact.
Be cautious about what emails or texts you reply to, and what links you click. Stay safe, and maybe unsubscribe from newsletters you no longer read while you’re at it.
Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.