A possible Substack security concern
Substack Security Concerns: Phonenumbers on Invoices and Potential Account Access via Forwarded Emails
Yesterday I got a message when logging in to Substack saying that my phonenumber is showing on the invoice in Stripe. At first I was a bit doubtful, but decided to check, and there it was, just as what Substack said.
I just fixed it, and didnβt think much more of it. Then later, I came across this Note from
:Here is an image of the same Note:
I simply replied that I got it too, and fixed it. Sadly I didnβt think of making a Note about this, so Thank you Kristina!
Obviously this is not the security concern that I really want to talk about. In this case, I think Substack did great. Thanks to Substack I could remove my phone number from the Subscriber invoice. And perhaps you should too, if you havenβt done so yet. Obviously it could be beneficial to have a seperate phone number for these kind of stuff, but that is also kind of only applicable when you reach a certain subscriber count that can more or less support you completely financially, or?
The actual security concern
I want to mention something I came across on Reddit, which really got me thinking. I have not verified that it is like this, but I thought it would be important enough to post it right here on Substack so everyone can be aware. In best case, problem is solved already, worst case, Substack has some work needed to be done.
So letβs check out the post over at Reddit, that was posted yesterday (Wednesday, February 19, 2025) by a user named MolemanEnLaManana.
He warns of a serious security flaw with Substack. When he forwarded a free post from another Substack publisher to his father, he clicked the "Upgrade to Paid" button within the forwarded email and was inexplicably logged into his (the one who forwarded the mail) Substack account, resulting in a paid subscription charged to the publisher's card. Substack support's advice was to avoid forwarding emails, as the buttons within them might grant access to the original sender's account. The publisher considers this a major flaw, especially given Substack's focus on new features rather than addressing core security issues. They urge anyone experiencing this to contact Hamish at Substack to emphasize the urgency of the problem.
You can read the full post over at Reddit here. Below is a screenshot of the same post:
Is this really true? Is it even possible? According to one user who chose to comment on this post, the answer is yes.
I honestly have to say that this Reddit post took me by surprise. For now, I have no way of verifying this. I have never heard about this until I read this yesterday.
If this is true, I really hope that Substack takes this one seriously and fixes it ASAP. This is the kind of bad bugs that can make or break the website. We, the users, need to know that our sensitive information is kept safe, outside anyoneβs reach.
So please share this post, and if you happen to know anyone from Substack in power, please share this concern with them.
Oh.. didn't know about this. I'll ask my hubby. He's a software developer. Would also ask Alex Criste or Finn Trophy from my tribe and get back to you.
Happy I could help. But if that's true with forwarding... Oh boy...
Could imagine this is when you're in one household... But not if you're sending it from household to the next.