Substack Data Breach Exposes User Emails and Phone Numbers

Newsletter platform Substack is notifying users of a data breach that occurred four months ago, with stolen email addresses and phone numbers now appearing on cybercrime forums.

Substack CEO Chris Best revealed in breach notification emails sent on February 3rd that the company identified evidence of unauthorized access to user data on February 3rd, 2026. The breach, which actually occurred in October 2025, exposed limited user information including email addresses, phone numbers, and internal metadata.

"On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata," Best stated in the notification. "This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed."

Breach Details Emerge on Cybercrime Forums

The timing of Substack's discovery coincides with a data leak on BreachForums, a popular hacking forum. On Monday, a threat actor posted a database containing 697,313 records of allegedly stolen Substack user data. The actor claimed to have scraped the information using a "noisy" method that was quickly patched by Substack's security team.

While Substack has not disclosed the exact number of affected users, the BreachForums leak suggests the breach impacted hundreds of thousands of accounts. The company has not yet explained how the attackers gained access to the data or provided a complete assessment of the breach's impact.

Security Measures and User Protection

Substack reports that it has addressed the vulnerability that enabled the breach. The company is warning users to be vigilant about potential phishing attempts that could exploit the stolen information.

"We have fixed the problem with our system that allowed this to happen," Best added. "We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious."

Historical Context and Platform Growth

This incident marks Substack's second major data exposure in recent years. In July 2020, the company accidentally exposed some users' email addresses when sending a privacy policy update email. The addresses were mistakenly included in the 'to' line instead of the 'bcc' field, making them visible to all recipients.

Since its launch in 2017, Substack has become a significant platform for independent journalists and content creators. The company reached five million paid subscriptions by March 2025, demonstrating its rapid growth in the digital publishing space.

Expert Analysis and Industry Impact

Data breaches involving email addresses and phone numbers, while not compromising financial information, still pose significant risks to users. Cybersecurity experts note that this type of information can be used for targeted phishing campaigns, spam calls, and social engineering attacks.

The four-month delay between the breach and its discovery raises questions about Substack's security monitoring capabilities. However, the company's prompt notification and transparency about the incident may help maintain user trust despite the delay.

Protection Recommendations for Users

Users affected by the breach should:

• Be extra cautious of unsolicited emails or text messages claiming to be from Substack
• Enable two-factor authentication on their Substack accounts if not already active
• Monitor their email accounts for unusual activity
• Consider using unique passwords for Substack if they haven't already
• Be wary of any communications requesting additional personal information

As the digital publishing landscape continues to evolve, this incident serves as a reminder that even platforms focused on content creation must maintain robust security measures to protect user data. The breach highlights the ongoing challenges that growing tech companies face in balancing rapid expansion with comprehensive security protocols.