This article is more than 1 year old
Reply-All storm flares as email announcing privacy policy puts 500 addresses in the 'To' field, not 'BCC'
Newsletter-as-a-service outfit Substack does the usual apologising
Some advice from The Register: when announcing a new privacy policy don’t do so with emails that reveal 500 addresses in the “To” field of the message.
We offer this advice after today finding ourselves on the receiving end of just such an email from newsletter-as-a-service platform Substack. Social media commentary on the mess mentions other mentions with hundreds of recipients’ addresses exposed.
Substack took to Twitter to abase itself before the Wrath Of The Internet™.
While we caught the error early, it was too late to retract that first batch. We are so sorry this happened – and we are aware of the irony. This was a genuine mistake, we feel terrible about it, and we will do everything in our power to never repeat it.
— Substack (@SubstackInc) July 29, 2020
But those who received the mail were merciless, mocking the message as clueless given that mass-mailers have been free and fabulous since Majordomo debuted in the early 1990s, while newer platforms like MailChimp also do a fine job. And then there’s the irony of a privacy policy being delivered by a privacy breach.
Substack just sent out an email announcing updates to their privacy policy... and accidentally cc’ed everyone in the batch. You’d think that they’d have nailed the whole sending bulk emails thing
— nic carter (@nic__carter) July 29, 2020
There may be some upside for Substack in the fact that many of the email addresses it exposed belong to people who have senior roles in major corporations, the Trump administration, governments and even a few media outlets that might on their best days be more prestigious than The Register. But while the company can say it has attracted quality readers, it has also ticked them off.
Reply-All action has so far focused on pointing out the ridiculous nature of the situation, but has been muted perhaps due to a desire not to inflict further privacy injuries on recipients. ®