Tag Archives: Substack

When We Trust No One: Did Substack REALLY Say It Was Breached?

When you’ve been around long enough, zero trust is an attitude, not a technology. Which is how I reacted when I received an email from Substack yesterday and questioned whether it was REALLY from Substack.

The email

How many of you received this email yesterday?

Hello,

I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission.

I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.

What happened. On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata. This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed.

What we are doing. We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future.

What you can do. We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious.

This sucks. I’m sorry. We will work very hard to make sure it does not happen again.

– Chris Best, CEO of Substack

My reaction

My jaded reaction?

“Yeah, right.”

Yes, the email came from “Substack Standards & Enforcement” at security@substack.com, but such emails can be faked, and a few months ago I received an email processed by Substack’s servers that was NOT sent by the Substack account owner.

So last night I went to Substack’s own Substack account @substack to see what it said about the matter.

At the time…nothing.

As far as I was concerned, my email and phone number MAY have been breached, or maybe not. Perhaps some nefarious actor was trying to make Substack look bad.

So I forgot about it.

The article

This morning I revisited the issue to see if any reputable organizations had written about it. Not finding a Washington Post article, I turned to TechCrunch. (I’ve been reading TechCrunch since the Arrington days.)

Newsletter platform Substack has confirmed a data breach in an email to users.

So TechCrunch relied on the same information I had. There was no indication that TechCrunch had reached out to Substack directly to confirm the authenticity of the email.

Then again, TechCrunch printed its article at 6:55 am PST, and it was still up an hour later at 8 am. If the email had been a scam, Substack would have contacted TechCrunch immediately.

So I guess the story is legit.

Three ways to inform users of a breach

The story goes well beyond Substack, since sites are breached all the time. As far as I’m concerned, the issue isn’t “if,” but “when.”

(And yes I’m looking at you, all Workday-using sites that set the app to require account creation. How will you respond when a jobseeker asks you how you will protect their data WHEN your site is breached?)

There are three ways to inform your users of a breach.

[Bitdefender] surveyed over 400 IT and security professionals who work in companies with 1,000 or more employees. Bitdefender found that 42% of IT and security professionals surveyed had been told to keep breaches confidential — i.e., to cover them up — when they should have been reported.

Perhaps even more shockingly, 29.9% of respondents admitted to actually keeping a breach confidential instead of reporting it.

  • Minimally inform them. What I’m calling the Substack method, where a breach is publicized via one easily-spoofed channel, and not on the platform itself.
  • Powerfully inform them. The KnowBe4 method, in which KnowBe4 confirmed on multiple platforms that a North Korean had successfully secured employment with the firm.

How will YOUR firm respond when you are breached?

Why I Despise the Steps to Success

Sometimes I think that half of the people writing on Substack are telling people how to write on Substack. So they can in turn tell people how to write on Substack.

But the people promoting Substack success are nothing compared to the ones promoting LinkedIn success.

Bredemarket currently manages four LinkedIn pages, and recently received a notification from LinkedIn that someone commented on one of Bredemarket’s LinkedIn posts, and why haven’t I engaged with the commenter?

Then I went to the post and read the comment.

“Are we ready for better identification systems? Let’s explore potential solutions. 🔑 #Innovation”

LinkedIn.

Frankly, that comment sounded…formulaic. And I had a hunch that the commenter had left similar comments on other posts.

I was right.

LinkedIn.

Obviously the well-meaning commenter had read some advice on How To Maximize Your LinkedIn Profile Reach With Text, An Emoji, And A Hashtag. And frankly, it doesn’t matter whether the comments were self-written or bot-written. Either way, they’re ineffective.

I was going to have Bredebot write a response to the comment for me, but in the end I didn’t bother.

Avoid rote steps to success. Be yourself.

And yes, I will probably post this to the same LinkedIn page, in case the commenter revisits.

Eight is Enough: Eight Reasons This Substack “Compromised Firmware” Post Sounded Like A Hack

Last night I saw a Substack post from one of my subscriptions, but I immediately distrusted the post.

The post was purportedly from Kathy Kristof from SideHusl.com. Now Kristof herself is legitimate, and her SideHusl website evaluates…well, side hustles.

But this message didn’t sound like Kathy, and my spidey sense was aroused.

First part of scam post.
Second part of scam post.

Let me count the ways.

  1. “We.” Normally if an entity suffers a breach, the entity uses its name.
  2. “Your device”…”the firmware level.” Substack posts can be viewed on a variety of devices. So this supposed breach affected all of them?
  3. “If you are receiving this email.” While Substack subscribers can receive emails of posts, they also appear on the Substack website. I happened to be on the Substack website when I saw the post. I was not reading an email.
  4. “Take immediate action…by updating your firmware.” The typical scam sense of urgency, coupled with a non-sensical request (see 2).
  5. “The FBI has been notified.” Such a report should probably go to a different agency.
  6. “support@trezor.io.” Trezor is a legitimate company that secures crypto assets…which has nothing to do with SideHusl or Substack. And by the way…
  7. “Substack” (not). In the same way that the post does not explicitly mention SideHusl, it doesn’t explicitly mention Substack either.
  8. “Access Dashboard button.” The reader is asked to click this button, supposedly to update their firmware (see 2).

My immediate reaction?

“I ain’t clicking that Access Dashboard button.”

My note restacking the scam post.

And:

“Suspicious message, purportedly from Kathy Kristof at Sidehusl.com, asking you to click a button.

“No way.”

Independent note with screenshots of the original scam post.

Be careful out there.

Conceptualization of the Planet Bredemarket and Its Rings

Inspired by the Constant Contact session I attended at the Small Business Expo, I wanted to conceptualize the Bredemarket online presence, and decided to adopt a “planet with rings” model.

Think of Bredemarket as a planet. Like Saturn, Uranus, Neptune, and Jupiter, the planet Bredemarket is surrounded by rings.

Google Gemini.

The closest ring to the planet is the Bredemarket mailing list (MailChimp).

The next closest ring is the Bredemarket website (WordPress).

Moving outward, we find the following rings:

  • Search engines and generative AI tools, including Bing, ChatGPT, Google, Grok, Perplexity, and others.
  • The Bredemarket Facebook page and associated groups.
  • The Bredemarket LinkedIn page and associated showcase pages.
  • A variety of social platforms, including Bluesky, Instagram, Substack, and Threads.
  • Additional social platforms, including TikTok, WhatsApp, and YouTube.

While this conceptualization is really only useful to me, I thought a few of you may be interested in some of the “inner rings.”

And if you’re wondering why your favorite way cool platform is banished to the outer edges…well, that’s because it doesn’t make Bredemarket any money. I’ve got a business to run here, and TikTok doesn’t help me pay the bills…

The Nomad Returns

My nomadic journey has ended.

The relative’s outpatient surgery was a success, and recovery is progressing.

Meanwhile, I met with one client and advanced several client product marketing projects, including a requirements document (done those for years), some product talking points (done those for years), a price/cost/supplier exercise (done those for years), and a project status report (done those for years).

I also published four Bredemarket posts (including this one) and the usual assortment of social media content on various channels (with the exception of one).

U.S. persons should pay special attention to my coverage of IDGA’s DoD/DHS border security report (blog, Substack, elsewhere).

I think I need a vacation.

Imagen 4.

On Communities

My written content usually targets a PRIMARY channel:

This content has a new target: my Substack “subscriber chat” https://open.substack.com/pub/johnebredehoft/chat

Because unlike the others, Substack subscriber chat is DESIGNED as a community.

A community that I’m not currently utilizing, but one that I should in the future.

By the way, if you want to read my Substack, visit https://substack.com/@johnebredehoft

Are All Your Eggs in One Social Basket?

(Imagen 4)

If your strategy is solely based upon a single platform such as TikTok, CapCut, Substack, Canva, or any other, you’ve already lost by putting all your eggs in one social basket.

Social dependence

My Saturday TikTok post got me thinking about companies whose entire STRATEGY is based on TikTok.

Not tactics.

Strategy.

  • Even though the chance remains that TikTok may be banned in the United States, as it is already banned in India…and is not available in China.
  • Or the companies that depend on CapCut who may have just surrendered their intellectual rights. Oh, and CapCut may be banned in the United States also.
  • Or the people that are so thrilled with Substack that they are stopping all other social media activity and concentrating solely on Substack.
  • Or the companies (I know of one) who base their strategy solely on Canva.

Or you can cite any other platform, dependence upon which could devastate your business overnight.

So own your own website and mailing list…right?

Well, at least Bredemarket doesn’t have to worry about losing access to my prospects and customers.

Even if I lose access to every single social media service, I still have my WordPress website and my MailChimp mailing list. 

So I am 100% insulated, right? 

Um, right?

OK, guess I’m threatened also.

Omnichannel distribution

In the biometric world, we talk about five factors of authentication and identity verification. If you depend upon a single factor, you’re in trouble. But using multiple factors lessens the risk.

Similarly, if you distribute your content via multiple channels, then a threat to any single channel doesn’t put you out of business.

(Sales pitch incoming)

And your distributed content can take multiple forms. Blogs. Case studies. White papers. Social content on multiple channels.

Assuming you actually create the content.

Or get someone to help you create it.

(Told you there would be a sales pitch.)

So rather than reading Bredemarket’s sales pitch (call to action), why don’t we work on creating yours? Click the image below and reserve a free meeting time.

CPA
Bredemarket’s “CPA.”