The complete extent of what was uncovered is much less clear. Along with e mail addresses and telephone numbers, the corporate talked about “metadata,” a catch-all time period. In its privateness coverage, Substack describes a variety of information this may embody, relying on how the positioning is used, together with consumer IDs, profile footage, biographies, and IP addresses.
How ought to Substack customers react? Usually, the recommendation after any data breach is to vary the account password. Nonetheless, Substack’s default entry methodology is by way of e mail deal with, with authentication confirmed by sending a “magic hyperlink” to the consumer’s e mail deal with. This removes the issue of password compromise and phishing assaults by not having a password to phish. If non-obligatory multi-factor authentication is turned on, the consumer should moreover enter a onetime code from an app.
Passwords are nonetheless doable — customers who signed up earlier than 2023 may need one — however in 2026, the consumer should actively select to create one. The corporate doesn’t point out whether or not this subset of customers ought to take into account altering their passwords as a precaution, however did provide the next assertion:
