HACKER Q&A
📣 rahimnathwani

Received an email from Substack, including other users' email addresses?


I received this email a couple of hours ago. It appears to be from Substack. It includes many email addresses in the 'To' line. Presumably these are all Substack users. If genuine, it's a strange mistake given that the email is about a new privacy policy, and compliance with California's CCPA.

--

You’re receiving this email because you have signed up to a newsletter powered by Substack.

We at Substack are making several updates to make our Terms of Use, Publisher Agreement, and Privacy Policy simpler and more transparent. Our privacy policies now also reflect evolving best practices and laws, including the California Consumer Privacy Act (the “CCPA”).

The updates we’ve made will be effective for existing users as of July 28th, 2020. We encourage you to review them in full. Below are some highlights:

Privacy Policy: We’ve updated the Privacy Policy to make it easier to understand and better describe the information we collect and how we use such information to help us provide the best possible service to you.

CCPA Policy: For California residents, we’ve added a CCPA Policy to provide you with information about the types of personal information we collect and use pursuant to the requirements of the CCPA, as well as your rights under CCPA, including your right to make certain requests regarding such rights, and how to make those requests.

Publisher Agreement and Terms of Use: These have been updated to make them easier to read and understand and to make it clear that Substack does not collect information for advertising purposes.

If you have any questions, please contact us at privacy@substackinc.com. By continuing to use our services on or after July 28th, 2020, you acknowledge our updated Privacy Policy and new CCPA Policy.

Best,

The Substack Team

  👤 rahimnathwani Accepted Answer ✓
They sent an apology email 3 hours later:

--

Hi,

We have an apology to make. Tonight, in sending out an email notification about updates to our privacy policy, terms of use, and publisher agreements, we mistakenly included a number of email addresses in the ‘to’ line. We caught the error early and less than 1 percent of Substack users were affected. However, it was too late to retract that first batch.

We are so sorry this happened – and we are aware of the irony of the situation. This was a genuine mistake, we feel terrible about it, and we will do everything in our power to never repeat it.

Sincerely, The Substack Team

👤 rvz
> If genuine, it's a strange mistake given that the email is about a new privacy policy, and compliance with California's CCPA.

It is genuine. A friend of mine showed me this same email with the list of other user emails leaked.

Unfortunately, it is a fatal mistake of the sender at Substack of not being able to know how to BCC in an email. Therefore this is a privacy policy breach. This is why throwaway fake emails exist.

Anyone can now look up the identities of each other with this email.