Bredemarket

When We Trust No One: Did Substack REALLY Say It Was Breached?

When you’ve been around long enough, zero trust is an attitude, not a technology. Which is how I reacted when I received an email from Substack yesterday and questioned whether it was REALLY from Substack.

The email

How many of you received this email yesterday?

Hello,

I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission.

I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.

What happened. On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata. This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed.

What we are doing. We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future.

What you can do. We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious.

This sucks. I’m sorry. We will work very hard to make sure it does not happen again.

– Chris Best, CEO of Substack

My reaction

My jaded reaction?

“Yeah, right.”

Yes, the email came from “Substack Standards & Enforcement” at security@substack.com, but such emails can be faked, and a few months ago I received an email processed by Substack’s servers that was NOT sent by the Substack account owner.

So last night I went to Substack’s own Substack account @substack to see what it said about the matter.

At the time…nothing.

As far as I was concerned, my email and phone number MAY have been breached, or maybe not. Perhaps some nefarious actor was trying to make Substack look bad.

So I forgot about it.

The article

This morning I revisited the issue to see if any reputable organizations had written about it. Not finding a Washington Post article, I turned to TechCrunch. (I’ve been reading TechCrunch since the Arrington days.)

Newsletter platform Substack has confirmed a data breach in an email to users.

So TechCrunch relied on the same information I had. There was no indication that TechCrunch had reached out to Substack directly to confirm the authenticity of the email.

Then again, TechCrunch printed its article at 6:55 am PST, and it was still up an hour later at 8 am. If the email had been a scam, Substack would have contacted TechCrunch immediately.

So I guess the story is legit.

Three ways to inform users of a breach

The story goes well beyond Substack, since sites are breached all the time. As far as I’m concerned, the issue isn’t “if,” but “when.”

(And yes I’m looking at you, all Workday-using sites that set the app to require account creation. How will you respond when a jobseeker asks you how you will protect their data WHEN your site is breached?)

There are three ways to inform your users of a breach.

Don’t inform them. This is common, as I noted in a February 2025 LinkedIn article “How the Secret Breaches Harm Us All.“

[Bitdefender] surveyed over 400 IT and security professionals who work in companies with 1,000 or more employees. Bitdefender found that 42% of IT and security professionals surveyed had been told to keep breaches confidential — i.e., to cover them up — when they should have been reported.

Perhaps even more shockingly, 29.9% of respondents admitted to actually keeping a breach confidential instead of reporting it.

Minimally inform them. What I’m calling the Substack method, where a breach is publicized via one easily-spoofed channel, and not on the platform itself.

Powerfully inform them. The KnowBe4 method, in which KnowBe4 confirmed on multiple platforms that a North Korean had successfully secured employment with the firm.

How will YOUR firm respond when you are breached?

And So the Scam Begins

I’ve previously noted that one possible sign of a scammer is when they don’t initiate a LinkedIn connection to you, but instead want you to initiate a LinkedIn connection to them. When a scammer is scamming, they can’t blow through a few thousand connection requests every day, so it’s better if the victims initiate the connection request themselves.

I immediately thought of this when I received an email from a Gmail account to one of my odd accounts entitled “Thinking of connecting.”

Um…why not just do it?

Here’s the text with the scammer’s alleged name changed:

“I saw your profile on LinkedIn and wanted to say hello. I’m Melania.

“I’ve always been interested in learning about different professional paths. This is just a friendly intro for the start of the week—no expectations on my end.”

Obviously I didn’t respond. Because I have no idea who the Gmail account holder REALLY is.

A day later, I received a second message that included the following:

“Things are actually pretty smooth and manageable on my end as the Operations Manager at Estée Lauder, so I’ve had some extra time to catch up with my network. I’d love to hear how your side of the world is treating you whenever you have a moment.”

Again, I didn’t respond. I didn’t even ask for “Melania’s” Estee Lauder email address (again, the emails are from a Gmail account).

Then we got to day three. Remember how Melania said she had viewed my LinkedIn profile? This was the next question she asked:

“Is it snowing where you are?”

Obviously she hadn’t read anything, and I was getting bored, so I blocked her from all email addresses.

Government Anti-Fraud Efforts: They’re Still Siloed

When the United States was attacked on September 11, 2001—an attack that caused NATO to invoke Article 5, but I digress—Congress and the President decided that the proper response was to reorganize the government and place homeland security efforts under a single Cabinet secretary. While we may question the practical wisdom of that move, the intent was to ensure that the U.S. Government mounted a coordinated response to that specific threat.

Today Americans face the threat of fraud. Granted it isn’t as showy as burning buildings, but fraud clearly impacts many if not most of us. My financial identity has been compromised multiple times in the last several years, and yours probably has also.

But don’t expect Congress and the President to create a single Department of Anti-Fraud any time soon.

Stop Identity Fraud and Identity Theft Bill

As Biometric Update reported, Congresspeople Bill Foster (D-IL) and Pete Sessions (R-TX) recently introduced H.R. 7270, “To establish a government-wide approach to stopping identity fraud and theft in the financial services industry, and for other purposes.”

Because this is government-wide and necessarily complex, the bill will be referred to at least THREE House Committees:

“Referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Financial Services, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.”

Why? As I type this the bill text is not available at congress.gov, but Foster’s press release links to a preliminary (un-numbered) copy of the bill. Here are some excerpts:

“9 (9) The National Institute of Standards and
10 Technology (NIST) was directed in the CHIPS and
11 Science Act of 2022 to launch new work to develop
12 a framework of common definitions and voluntary
13 guidance for digital identity management systems,
14 including identity and attribute validation services
15 provided by Federal, State, and local governments,
16 and work is underway at NIST to create this guid
17 ance. However, State and local agencies lack re
18 sources to implement this new guidance, and if this
19 does not change, it will take decades to harden defi
20 ciencies in identity infrastructure.”

Even in the preamble the bill mentions NIST, part of the U.S. Department of Commerce, and the individual states, after mentioning the U.S. Department of the Treasury (FinCEN) earlier in the bill.

But let’s get to the meat of the bill:

“3 SEC. 3. IDENTITY FRAUD PREVENTION INNOVATION
4 GRANTS.
5 (a) IN GENERAL.—The Secretary of the Treasury
6 shall, not later than 1 year after the date of the enactment
7 of this section, establish a grant program to provide iden
8 tity fraud prevention innovation grants to States.”

The specifics:

The states can use the grants to develop mobile driver’s licenses “and other identity credentials.”
They can also use the grants to protect individuals from deepfake attacks.
Another purpose is to develop “interoperable solutions.”
A fourth is to replace vulnerable legacy systems.
The final uses are to make sure the federal government gets its money, because that’s the important thing to Congress.

But there are some limitations in how the funds are spent.

They can’t be used to require mDLs or eliminate physical driver’s licenses.
They can’t be used to “support the issuance of drivers licenses or
identity credentials to unauthorized immigrants.” (I could go off on a complete tangent here, but for now I’ll just say that this prevents a STATE from issuing such an identity credential.)

The bill is completely silent on REAL ID, therefore not mandating that everyone HAS to get a REAL ID.

And everything else

So although the bill claims to implement a government-wide solution, the only legislative changes to the federal government involve a single department, Treasury.

But Treasury (FinCEN plus IRS) and the tangentially-mentioned Commerce (NIST) aren’t the only Cabinet departments and independent agencies involved in anti-fraud efforts. Others include:

The Department of Justice, through the Federal Bureau of Investigation and the new Division for National Fraud Enforcement.
The Department of Homeland Security, through the Secret Service and every enforcement agency that checks identities at U.S. borders and other locations.
The Federal Trade Commission (FTC).
The Social Security Admistration. Not that SSNs are a national ID…but they de facto are.
The U.S. Postal Inspection Service.
The Consumer Financial Protection Bureau.

These agencies are not ignored, but are funded under mandates separate from H.R. 7270. Or maybe not; there’s an effort to move Consumer Financial Protection Bureau work to the Department of Justice so that the CFPB can be shut down.

And that’s just one example of how anti-fraud efforts are siloed. Much of this is unavoidable in our governmental system (regardless of political parties), in which states and federal government agencies constantly war against each other.

What happens, for example, if the Secret Service decides that the states (funded by Treasury) or the FBI (part of Justice) are impeding its anti-fraud efforts?
Or if someone complains about NIST listing evil Commie Chinese facial recognition algorithms that COULD fight fraud?

Despite what Biometric Update and the Congresspeople say, we do NOT have a government-wide anti-fraud solution.

(And yes, I know that the Capitol is not north of the Washington Monument…yet.)

Google Gemini. Results may not be accurate.

Did I Forget to Mention That I Don’t Live in New York City?

For a moment I’m going to veer away from finger, face, iris, voice, and DNA and veer toward geolocation.

I don’t live in New York City.

Technically I don’t live in the Mojave Desert either.

But Ontario, California is closer, both in geography and in climate, to the High Desert than to the Eastern Seaboard.

I guess California knows how to party by walking around with self promotion signs.

Biometric product marketing expert.

And if my biometric product marketing expertise can help your firm, let’s talk.

I Heartily Agree

Here’s a quote from Runar Bjorhovde, senior analyst for smartphones and connected devices at Omdia.

“I think the biggest step many biometrics players can take to prove their importance is within marketing — in addition to maintaining their current innovation. Actually explaining why these sensors are so important and what they enable can massively help to simplify them to users, consequently making the value easier to understand.”

I heartily agree that the “why” is important.

Which is Harder: Know Your Employer, or Know Your Employee?

Of all the KYx acronyms (Know Your Customer, Know Your Business, etc.), two that interest LinkedIn users are Know Your Employer and Know Your Employee. How do you fight fraudulent employers and employees? And how do your prospects learn about your fraud fighting?

Read my latest article on LinkedIn in The Wildebeest Speaks: “Which is Harder: Know Your Employer, or Know Your Employee?“

Vein Biometrics At Scale

I haven’t talked about vein biometrics in a while, so it’s good to catch up on an old Biometric Update article about Saint Deem.

“China has its first factory dedicated to manufacturing vein biometrics hardware, which will produce up to 2 million vein modules and devices a year. The factory is built by biometric technology firm Saint Deem, which develops vein recognition algorithms, software and hardware.”

I’m surprised that we haven’t seen a vein biometrics factory before now. Vein identification has been around forever. And if Amazon isn’t getting its devices from China, who is supplying them?

Don’t Pivot to Trending Topics

Don’t pivot to trending topics.

As I suspected, my “finger stop” post did not go viral.

But it’s a heck of a lot more interesting than commenting on most things.

Or writing about ANYTHING for pay.

Bredemarket doesn’t do resumes, even though people have tried to get me to do that.

Bredemarket doesn’t design websites, even though people have tried to get me to do that.

Bredemarket provides content, proposal, and analysis services to identity, biometric, and technology firms.

Not a trending sexy service.

But if you need it, you need it.

And should talk to me.

Is Bredemarket Here to Rescue You?

Has anyone ever told you, “I’m here to rescue you?”

Luke.

Sometimes, perhaps to your surprise, they actually DO rescue you.

Sometimes they don’t.

“Global consulting giant Deloitte has agreed to refund a part of its $440,000 fee to the Australian government after admitting to using generative AI tools in a report assessing the government’s “Future Made in Australia” initiative….The final report, released in July, was found to contain several significant errors — including academic citations referencing individuals who do not exist and a fabricated quote from a Federal Court judgment…”

So how does Bredemarket ensure that MY consulting projects deliver what you need?

By regular feedback cycles after I have asked my initial questions.

The Seven Questions I Ask.

After I’ve scoped the project and created my first draft, it’s your turn to provide input.

When properly scoped, almost all projects only need minor redirection at worst, or perhaps only a few tweaks.

In a very few instances clients have accepted my first drafts as the final copy. Sometimes this relieves me, sometimes it worries me. (Did the client read it?)

But a quick turnaround is the desired goal. You need to get this content out to your prospects, and I need to rescue you (or someone else) in another project.

Oh…and I always check my references.

(Sorry.)

For more information, and to book a free consultation about your unfinished project, visit https://bredemarket.com/mark/

Stop losing prospects! Use Bredemarket content for tech marketers

Catching Up On Alaska’s Mobile ID

Thales issued this press release recently:

“Thales is pleased to announce its continued partnership with the State of Alaska Department of Motor Vehicles (DMV) with the launch of the Alaska Mobile ID. Seen as an innovative digital identity solution, it empowers residents to manage the use of their identification credentials securely and conveniently through their mobile devices.

“The Alaska Mobile ID leverages Thales’ sophisticated digital ID technology to provide Alaskans with a secure method for digital verification of their identity, age, and/or driving privileges. With this ‘cybersecurity by design’ solution, citizens benefit from a quick and secure way to digitally verify their identity while safeguarding their personal information. It also enables selective disclosure, meaning only some attributes of residents’ identities can be electronically verified. As an example, with Alaska Mobile ID, residents will be able to prove they are above 21 without revealing their exact age, which is impossible with physical ID.”

So this is a wonderful advance for Alaska…even though Thales is foreign-owned. The 2022 Alaska HB389 died without passage.