Paid subscribers to caraportfolio.substack.com have been receiving phoney emails. Previously I thought I was the only one being spammed. Unfortunately, the problem has escalated.

If you have paid, I can assure you that your one-year subscription is active and has just begun.

To prevent any further issues until Substack resolves this matter to my satisfaction, I have proactively paused all billing and payments. I am working to correct their system error and expect a resolution today.

My apologies for any confusion or concern this has caused.

I received potentially spam email a few days ago, and replied but received no response. So, I asked an experienced Substack publisher for comment, and was told it looks fake but just in case, he provided the email address of the Substack co-founder and CEO. I followed up with the following attachment, which I am sharing here. I did not receive a reply to that email either.

=================================================================

Substack Standards & Enforcement <security@substack.com>

Feb 4, 2026, 9:10 PM (4 days ago)

to me

Hello,

I’m reaching out to let you know about a security incident that resulted in the email address from your Substack account being shared without your permission.

I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.

What happened. On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata. This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed.

What we are doing. We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future.

What you can do. We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails you receive that may be suspicious.

This sucks. I’m sorry. We will work very hard to make sure it does not happen again.

- Chris Best, CEO of Substack

=================================================================

I know we all deal with spam, but an erroneous email from a trusted service like Substack is especially frustrating. My sincere apologies if the “subscription ended” notice caused any concern.

I am actively resolving this issue and will send you a personal confirmation as soon as it’s fixed. You can expect Portfolio Assessment Report #6 to be released right after.

I also want to reassure you: your CaraPortfolio subscription funds are still securely held at Stripe. I have a personal policy of not withdrawing funds until I am completely confident in the consistent quality of the services I provide. I’m grateful to say we are almost there, thanks to your support. I am really pleased there are so many of you.