Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Reply-All storm flares as email announcing privacy policy puts 500 addresses in the 'To' field, not 'BCC'

Newsletter-as-a-service outfit Substack does the usual apologising

Simon Sharwood, APAC Editor Wed 29 Jul 2020  //  04:56 UTC

Some advice from The Register: when announcing a new privacy policy don’t do so with emails that reveal 500 addresses in the “To” field of the message.

We offer this advice after today finding ourselves on the receiving end of just such an email from newsletter-as-a-service platform Substack. Social media commentary on the mess mentions other mentions with hundreds of recipients’ addresses exposed.

Substack took to Twitter to abase itself before the Wrath Of The Internet™.

But those who received the mail were merciless, mocking the message as clueless given that mass-mailers have been free and fabulous since Majordomo debuted in the early 1990s, while newer platforms like MailChimp also do a fine job. And then there’s the irony of a privacy policy being delivered by a privacy breach.

There may be some upside for Substack in the fact that many of the email addresses it exposed belong to people who have senior roles in major corporations, the Trump administration, governments and even a few media outlets that might on their best days be more prestigious than The Register. But while the company can say it has attracted quality readers, it has also ticked them off.

Reply-All action has so far focused on pointing out the ridiculous nature of the situation, but has been muted perhaps due to a desire not to inflict further privacy injuries on recipients. ®
Send us news
37 Comments

US legislators propose American Privacy Rights Act - and it looks quite good

After two decades of calls for national protections, something may actually happen

Academics probe Apple's privacy settings and get lost and confused

Just disabling Siri requires visits to five submenus

96% of US hospital websites share visitor info with Meta, Google, data brokers

Could have been worse – last time researchers checked it was 98.6%

FYI: This site claims to have harvested 4B+ Discord chats, today all yours for a price

Of course there's an enterprise plan for the Feds and AI trainers

Reform of USA's Section 702 spying rule may make it to a vote this week

Tool that lets spooks observe Americans appears to have been renewed for another year

US House approves FISA renewal – warrantless surveillance and all

PLUS: Chinese chipmaker Nexperia attacked; A Microsoft-signed backdoor; CISA starts scanning your malware; and more

Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Plus: Another local government hobbled by ransomware; Huge rise in infostealing malware; and critical vulns

Google will delete data collected from 'private' browsing

Declares victory in settlement of class action lawsuit, but individual claims remain possible

Lawsuit claims Meta hobbled Facebook Watch to help Netflix

Advertiser antitrust lawsuit says claimed deal with Netflix is anticompetitive

Ex-White House CIO tells The Reg: TikTok ban may be diplomatic disaster

Theresa Payton on why US needs a national privacy law

AT&T admits massive 70M+ mid-March customer data dump is real though old

Still claims the personal info wasn't stolen from its systems

Majority of Americans now use ad blockers

We're dreaming of a white list, because we're just like the ones you used to know