Journalists going solo on Substack at risk from hackers Press Gazette
pFighting for quality news media in the digital ageppNew found independence for journalists comes with cybersecurity concernsppBy
Alys Key ppFormer Buzzfeed journalist Anne Helen Petersen had been putting the final touches on the latest episode of her podcast last month when an email landed in her inboxppIt warned of suspicious activity on her Substack account and said her ability to send emails would be frozen until she confirmed she wasnt a botppThe email was a classic phishing scamppHackers using phishing tactics mock up messages so they appear to be from legitimate sources tricking marks into handing over login details or other sensitive informationppThe attackers gained access to Petersens account where she has a combined total of more than 25000 followers across her newsletter and podcast both called Culture Study They proceeded to add thousands more email addresses to the mailing list and changed the name of the newsletter pretending to be crypto wallet company TrezorppPetersen quickly realised what had happened and contacted Substacks support team for help The platform took more than 24 hours to respondppObviously I caused this but the lack of a response let alone a solution is just the latest example of Substack refusing to adequately attend to the support needs of its writers and readers Petersen wrote in a post on Notes Substacks rival to XppHer account was not the only one to be targeted Comic book writer Greg Lockard who has around 24000 followers confirmed to Press Gazette that he had experienced a hack of a similar natureppThe incident underscores the challenges faced by independent writers who use platforms like Substack to reach their audiences A publication might be run by a small team or even one person making their account a single point of failure standing between cyberattackers and substantial troves of datappWhen youre a solo creator your email list is both your most valuable and your most vulnerable asset Vlad Cristescu head of cybersecurity at email validation company Zero Bounce told Press Gazette ppSubscriber lists usually contain verified email addresses which makes them incredibly attractive to hackers and phishers The problem is that most small creators or teams dont have the same layers of defence a larger company would So you end up with highvalue data but very little protection around itppWhile platforms offer technical support and data processing functions users are ultimately the data controllers of their own mailing lists That means they own their audience and can change platform at any time shortly after the hacking incident Petersen announced she was moving Culture Study to Patreon but it also means they have ultimate responsibility for that informationppFor journalists following the trend of leaving big newsrooms to start their own projects it can be a significant shift Where a large company might have whole teams dedicated to data protection cybersecurity and audience management solopreneurs have to deal with these aloneppIndependent creators need to understand theyre now data controllers in their own right Cristescu added That comes with responsibilityppAnother issue raised by Petersens experience is how writers are dependent on their host platforms for fast technical support in emergency situations support that might be slow to comeppA Substack spokesperson insisted that the platform had rigorous security protocols and its team acted quicklyppPhishing attempts are a widespread challenge online and protecting Substack publishers from them as best we can is a priority for us they said in an emailed statement sent in response to questions about the Culture Study hackppOnce we became aware of this incident our team took action to help secure the account of the writer in question who had unfortunately fallen for the phishing scheme Substack has systems designed to detect and mitigate these kinds of attacks and we act quickly when issues are reportedppPetersen however has continued to criticise the companys support offering for authors In a post explaining why she had moved her newsletter to Patreon she said that the automation of the service had contributed to her decision to leaveppI dont want to serve as a oneperson IT department for my readers and listeners who cant resolve their account problems because Substacks support has been reduced to a bot she wroteppPlatforms have a role to play in enabling security measures that protect both writers and readers but even these can raise questions about how to balance data protection with creator autonomyppOne attraction for writers wanting to use a newsletter platform is that they can own their audience in the form of an easily exportable mailing list Unlike social media followings these can be transferred from one service to anotherppYet action taken by Medium has demonstrated that this could change Earlier this year the blogging site quietly updated its settings so that authors can no longer see the full email addresses of new subscribers nor export the contact details of anyone who signed up after the change was madeppJust as social media algorithms can change unfavourably Mediums policy shift proves youre not fully in control of subscribers you attract Aimee Simpson a director at cybersecurity firm Huntress told Press GazetteppIf a platforms own growth goals are threatened by security and privacy issues the company will naturally do whats in its own interests to limit breaches which could seriously impact your business she said You have to weigh up what makes the most sense for youppppEmail pgedpressgazettecouk to point out mistakes provide story tips or send in a letter for publication on our Letters Page blog p
Alys Key ppFormer Buzzfeed journalist Anne Helen Petersen had been putting the final touches on the latest episode of her podcast last month when an email landed in her inboxppIt warned of suspicious activity on her Substack account and said her ability to send emails would be frozen until she confirmed she wasnt a botppThe email was a classic phishing scamppHackers using phishing tactics mock up messages so they appear to be from legitimate sources tricking marks into handing over login details or other sensitive informationppThe attackers gained access to Petersens account where she has a combined total of more than 25000 followers across her newsletter and podcast both called Culture Study They proceeded to add thousands more email addresses to the mailing list and changed the name of the newsletter pretending to be crypto wallet company TrezorppPetersen quickly realised what had happened and contacted Substacks support team for help The platform took more than 24 hours to respondppObviously I caused this but the lack of a response let alone a solution is just the latest example of Substack refusing to adequately attend to the support needs of its writers and readers Petersen wrote in a post on Notes Substacks rival to XppHer account was not the only one to be targeted Comic book writer Greg Lockard who has around 24000 followers confirmed to Press Gazette that he had experienced a hack of a similar natureppThe incident underscores the challenges faced by independent writers who use platforms like Substack to reach their audiences A publication might be run by a small team or even one person making their account a single point of failure standing between cyberattackers and substantial troves of datappWhen youre a solo creator your email list is both your most valuable and your most vulnerable asset Vlad Cristescu head of cybersecurity at email validation company Zero Bounce told Press Gazette ppSubscriber lists usually contain verified email addresses which makes them incredibly attractive to hackers and phishers The problem is that most small creators or teams dont have the same layers of defence a larger company would So you end up with highvalue data but very little protection around itppWhile platforms offer technical support and data processing functions users are ultimately the data controllers of their own mailing lists That means they own their audience and can change platform at any time shortly after the hacking incident Petersen announced she was moving Culture Study to Patreon but it also means they have ultimate responsibility for that informationppFor journalists following the trend of leaving big newsrooms to start their own projects it can be a significant shift Where a large company might have whole teams dedicated to data protection cybersecurity and audience management solopreneurs have to deal with these aloneppIndependent creators need to understand theyre now data controllers in their own right Cristescu added That comes with responsibilityppAnother issue raised by Petersens experience is how writers are dependent on their host platforms for fast technical support in emergency situations support that might be slow to comeppA Substack spokesperson insisted that the platform had rigorous security protocols and its team acted quicklyppPhishing attempts are a widespread challenge online and protecting Substack publishers from them as best we can is a priority for us they said in an emailed statement sent in response to questions about the Culture Study hackppOnce we became aware of this incident our team took action to help secure the account of the writer in question who had unfortunately fallen for the phishing scheme Substack has systems designed to detect and mitigate these kinds of attacks and we act quickly when issues are reportedppPetersen however has continued to criticise the companys support offering for authors In a post explaining why she had moved her newsletter to Patreon she said that the automation of the service had contributed to her decision to leaveppI dont want to serve as a oneperson IT department for my readers and listeners who cant resolve their account problems because Substacks support has been reduced to a bot she wroteppPlatforms have a role to play in enabling security measures that protect both writers and readers but even these can raise questions about how to balance data protection with creator autonomyppOne attraction for writers wanting to use a newsletter platform is that they can own their audience in the form of an easily exportable mailing list Unlike social media followings these can be transferred from one service to anotherppYet action taken by Medium has demonstrated that this could change Earlier this year the blogging site quietly updated its settings so that authors can no longer see the full email addresses of new subscribers nor export the contact details of anyone who signed up after the change was madeppJust as social media algorithms can change unfavourably Mediums policy shift proves youre not fully in control of subscribers you attract Aimee Simpson a director at cybersecurity firm Huntress told Press GazetteppIf a platforms own growth goals are threatened by security and privacy issues the company will naturally do whats in its own interests to limit breaches which could seriously impact your business she said You have to weigh up what makes the most sense for youppppEmail pgedpressgazettecouk to point out mistakes provide story tips or send in a letter for publication on our Letters Page blog p
