The core secret behind the Substack data breach is not the technical failure but the deliberate timeline of the disclosure. Substack executives sat on the news of this “security incident” for nearly a year, ensuring that their growth metrics remained untarnished while your phone number and email address were being traded in the digital underworld. By the time CEO Chris Best decided to hit “send” on that apologetic email, the damage was already done. Your data has already been indexed, sold, and likely used to craft the very phishing scams currently sitting in your inbox.
The Calculated Silence of Silicon Valley
Substack markets itself as the noble alternative to the attention economy, a place where writers and readers connect without the interference of predatory algorithms. However, this breach reveals that their internal security is as flimsy as the social media giants they claim to disrupt. The hacker did not just “access” data: they walked away with the primary keys to your digital identity. For a platform that thrives on the “intimacy” of the inbox, failing to secure the very address of that inbox is a catastrophic betrayal of their brand promise.
This lack of transparency is exactly why we should be terrified of increased state and corporate data centralisation. As I argued when explaining Why Kenya’s New Cybercrime Bill Must Be Rejected: A Threat to Your Freedom, giving any entity more power over our digital footprints is a recipe for disaster. If a high-valuation darling like Substack cannot or will not protect basic contact information, the idea that a government bureaucracy or an even larger tech conglomerate can do so is a dangerous fantasy.
The Hidden Cost of “Pro-Writer” Optics
The delay in notification was almost certainly a business decision. In the world of venture capital, a data breach is a “noise” event that can tank a funding round or a secondary share sale. By waiting until the incident was “stale” in the eyes of the media, Substack prioritised its valuation over the safety of its users. They allowed you to keep your two-factor authentication linked to a compromised phone number for months, potentially exposing you to SIM-swapping attacks and secondary breaches across other platforms.
This is the hidden tax of the creator economy. You pay for your subscription with money, but the platform pays for its mistakes with your anonymity. The “security incident” is a polite euphemism for a fundamental failure of duty. When they tell you that “no passwords were compromised,” they are hoping you are too tech-illiterate to realise that a verified phone number and email are the only two ingredients a halfway-decent social engineer needs to dismantle your life.
The Prediction
Within the next six months, Substack will announce a “Security Plus” initiative or a mandatory migration to their proprietary app, claiming it is for “user protection.” In reality, this will be a move to further lock users into their ecosystem and harvest even more granular data to replace what they lost. Expect a surge in targeted SMS phishing specifically aimed at newsletter subscribers, as the stolen database is fully integrated into global scamming networks.