This article is more than 1 year old

Reply-All storm flares as email announcing privacy policy puts 500 addresses in the 'To' field, not 'BCC'

Newsletter-as-a-service outfit Substack does the usual apologising

Some advice from The Register: when announcing a new privacy policy don’t do so with emails that reveal 500 addresses in the “To” field of the message.

We offer this advice after today finding ourselves on the receiving end of just such an email from newsletter-as-a-service platform Substack. Social media commentary on the mess mentions other mentions with hundreds of recipients’ addresses exposed.

Substack took to Twitter to abase itself before the Wrath Of The Internet™.

But those who received the mail were merciless, mocking the message as clueless given that mass-mailers have been free and fabulous since Majordomo debuted in the early 1990s, while newer platforms like MailChimp also do a fine job. And then there’s the irony of a privacy policy being delivered by a privacy breach.

There may be some upside for Substack in the fact that many of the email addresses it exposed belong to people who have senior roles in major corporations, the Trump administration, governments and even a few media outlets that might on their best days be more prestigious than The Register. But while the company can say it has attracted quality readers, it has also ticked them off.

Reply-All action has so far focused on pointing out the ridiculous nature of the situation, but has been muted perhaps due to a desire not to inflict further privacy injuries on recipients. ®

More about

More about

More about


Send us news

Other stories you might like