Former Buzzfeed journalist Anne Helen Petersen had been putting the final touches on the latest episode of her podcast last month when an email landed in her inbox.
It warned of suspicious activity on her Substack account and said her ability to send emails would be frozen until she confirmed she wasn’t a bot.
The email was a classic phishing scam.
Hackers using phishing tactics mock up messages so they appear to be from legitimate sources, tricking marks into handing over log-in details or other sensitive information.
The attackers gained access to Petersen’s account, where she has a combined total of more than 25,000 followers across her newsletter and podcast, both called Culture Study. They proceeded to add thousands more email addresses to the mailing list and changed the name of the newsletter, pretending to be crypto wallet company Trezor.
Petersen quickly realised what had happened and contacted Substack’s support team for help. The platform took more than 24 hours to respond.
“Obviously I caused this, but the lack of a response (let alone a solution) is just the latest example of Substack refusing to adequately attend to the support needs of its writers and readers,” Petersen wrote in a post on Notes, Substack’s rival to X.
Her account was not the only one to be targeted. Comic book writer Greg Lockard, who has around 24,000 followers, confirmed to Press Gazette that he had experienced a hack of a similar nature.
One-person Substacks have single point of failure
The incident underscores the challenges faced by independent writers who use platforms like Substack to reach their audiences. A publication might be run by a small team or even one person, making their account a single point of failure standing between cyber-attackers and substantial troves of data.
“When you’re a solo creator, your email list is both your most valuable and your most vulnerable asset,” Vlad Cristescu, head of cybersecurity at email validation company Zero Bounce, told Press Gazette.
“Subscriber lists usually contain verified email addresses, which makes them incredibly attractive to hackers and phishers. The problem is that most small creators or teams don’t have the same layers of defence a larger company would. So you end up with high-value data, but very little protection around it.”
While platforms offer technical support and data processing functions, users are ultimately the data controllers of their own mailing lists. That means they own their audience and can change platform at any time – shortly after the hacking incident, Petersen announced she was moving Culture Study to Patreon – but it also means they have ultimate responsibility for that information.
For journalists following the trend of leaving big newsrooms to start their own projects, it can be a significant shift. Where a large company might have whole teams dedicated to data protection, cybersecurity and audience management, solopreneurs have to deal with these alone.
“Independent creators need to understand they’re now data controllers in their own right,” Cristescu added. “That comes with responsibility.”
Substack says protecting its publishers is a ‘priority’
Another issue raised by Petersen’s experience is how writers are dependent on their host platforms for fast technical support in emergency situations – support that might be slow to come.
A Substack spokesperson insisted that the platform had rigorous security protocols and its team acted quickly.
“Phishing attempts are a widespread challenge online, and protecting Substack publishers from them as best we can is a priority for us,” they said in an emailed statement, sent in response to questions about the Culture Study hack.
“Once we became aware of this incident, our team took action to help secure the account of the writer in question, who had unfortunately fallen for the phishing scheme. Substack has systems designed to detect and mitigate these kinds of attacks, and we act quickly when issues are reported.”
Petersen, however, has continued to criticise the company’s support offering for authors. In a post explaining why she had moved her newsletter to Patreon, she said that the automation of the service had contributed to her decision to leave.
“I don’t want to serve as a one-person IT department for my readers and listeners who can’t resolve their account problems because Substack’s “support” has been reduced to a bot,” she wrote.
Journalists ‘not fully in control’ of subscribers
Platforms have a role to play in enabling security measures that protect both writers and readers, but even these can raise questions about how to balance data protection with creator autonomy.
One attraction for writers wanting to use a newsletter platform is that they can own their audience in the form of an easily exportable mailing list. Unlike social media followings, these can be transferred from one service to another.
Yet action taken by Medium has demonstrated that this could change. Earlier this year, the blogging site quietly updated its settings so that authors can no longer see the full email addresses of new subscribers, nor export the contact details of anyone who signed up after the change was made.
“Just as social media algorithms can change unfavourably, Medium’s policy shift proves you’re not fully in control of subscribers you attract,” Aimee Simpson, a director at cybersecurity firm Huntress told Press Gazette.
“If a platform’s own growth goals are threatened by security and privacy issues, the company will naturally do what’s in its own interests to limit breaches – which could seriously impact your business,” she said. “You have to weigh up what makes the most sense for you.”
Email pged@pressgazette.co.uk to point out mistakes, provide story tips or send in a letter for publication on our "Letters Page" blog
