Substack failed to register a URL. This allowed me to receive their private emails.
The the Wall Street newspaper. TechCrunch. Vice.
These are just a few of the media who reached out to me earlier this year to comment on their stories.
However, they weren’t really looking for me. No. They were trying to contact the online newsletter platform Substack, a company I don’t work for.
These media were looking for comments from Substack on things like its funding of right-wing writers or wanting to interview its CEO, Chris Best.
So why did they contact me?
Well, that had to do with the URL of my Substack newsletter, the one that Substack has since removed without even a warning: “press.substack.com”.
In June 2020, in the middle of the first days of the global pandemic, I opened a few accounts with Substack. “I’m going to start a newsletter,” I thought, trying to give myself a project or two to work on amid lockdowns and quarantines.
So I started to research which subdomains were available in order to get inspiration. I was surprised to see a generic one-word dictionary name available: “press”. I ran a series of media reviews while working for a previous employer and thought this would be a great Substack username to perform something similar. I registered and became “press.substack.com” on the platform.
SEE ALSO: Cool gadgets that make great gifts
If you are not familiar with Substack even after all the controversial compared to its writers fundraising program earlier this year, it’s essentially a streamlined email newsletter platform. You sign up and your newsletter lives online at the URL. Your subscribers will receive each message in their email as it is published. And what email address does this newsletter come from that lands in your inbox?
“Your Substack username + @ substack.com.”
So when I registered “press.substack.com” for my newsletter, I unintentionally registered the “[emailÂ protected]“email address, the type of email address that businesses commonly use for their media inquiries. (For example, Google’s press contact can be found at [emailÂ protected], Twitter is at [emailÂ protected], And so on.)
I didn’t realize it at the time. In fact, I hadn’t even noticed the press emails destined for Substack that landed in my inbox until recently. But, Substack should have absoutely remark.
The company uses [emailÂ protected] for his press email, which allows people to mistakenly type in the address with the domain name substack.com instead.
Substack took away my url.
Substack took away my url.
We don’t know exactly when Substack got me its URL. I did not receive any notice. Browsing through my inbox archives, the last email I received was addressed to the press.substack.com subdomain or [emailÂ protected] email was at the end of March 2021.
You may have read a similar story by Claire Carusillo that took place a few weeks ago in Gawker titled “The Punk-Ass Bitches at Substack Tryed to Take Away My Perfect Url”. Carusillo lost his premium URL “politics.substack.com” when Substack decided to donate this real estate online to another of its users.
Substack emailed him to tell him that they took over the URL and changed Carusillo’s to “politics123.substack.com”. In the end, however, Substack decided it wasn’t such a good move and returned âpolitics.substack.comâ to Carusillo.
One of the most surprising things about Gawker’s article is that Carusillo originally emailed the company before taking their URL with his intention of selling “politics.substack.com”, Substack apparently applauded the idea in their response to it.
âIt’s fascinating! I can’t wait to see how it goes. The good thing here is that you have full ownership of your content, your IP address and your mailing list, everything,â Carusillo told Carusillo. Lulu Cheng Meservey, Vice President of Communications at Substack.
My case is probably going to turn out a little differently than Carusillo’s.
As I mentioned before, and unlike Carusillo, I never even received an email informing me that they were picking up the URL. I had to find out the hard way by trying to log in over and over again before I stumbled upon the fact that “press.substack.com” no longer goes to a newsletter page. I finally found out for myself that Substack had changed my url to “press2.substack.com”.
I’m not going to retrieve my sub-stack url.
I’m not going to retrieve my sub-stack url. Unlike “politics.substack.com” which Substack would give to another writer, Substack uses “press.substack.com” for its own business purposes. They didn’t even pay me for it, you know, since I “remain full ownership” of the intellectual property and everything.
But, that does make sense. Even though Substack pretended to be different, most online platforms say they can retrieve your username or subdomain anytime they own the platform.
The fact that they neglected to enter this email address for themselves in the roughly three years since I started the business and I registered it is surprising, but it may be. -be a lesson to be learned for other tech startups. The implications of someone outside the organization with access to that email address could have been much worse. I could very well have saved them from another user discovering “[emailÂ protected]“was open for recording and was using it for malicious purposes.
When I contacted Substack things seemed to have changed since the Gawker play.
Lulu Cheng Meservey, the company’s new vice president of communications, directed me to a new FAQ page on the Substack site which was posted after the publication of Gawker’s article: “How long can I keep my subdomain?”
According to Substack, the company is allowed to “reassign” your URL to another editor if you don’t update your newsletter for six months. To be clear, I had never published anything on press.substack.com.
Meservey didn’t have much more information to disclose as it appears that Substack took over the URL prior to joining the company. However, she said reassigning a URL without notifying a user “shouldn’t happen.”
So don’t forget the next time you tweet, share photos on Instagram, or write your next Substack post: you don’t own this space. At any time, the platform can simply resume it.
And, if you’re running a platform, be sure to grab all the necessary URLs and usernames before you open the listing to the public. You never know if a random user will end up receiving your private emails.