Substack has told users about a security break that let an unauthorised party take email addresses, phone numbers and internal metadata. The company said the access took place in October 2025, although the discovery came much later, during the first week of February 2026.
Chris Best, Substack’s chief executive, wrote to affected users to explain the event. “On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorised third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata,” he said in emails shared by users and reported by BleepingComputer.
The company said account passwords, credit card numbers and financial details stayed safe. Best added another line in the message to underline that point: “This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed.”
Substack has not said how the intruder got in. A spokesperson told BleepingComputer that safeguards are now in place to stop a repeat of the same issue, although no technical detail has been shared.
How Much Data Left The Platform?
The full scale of the exposure has not been confirmed by Substack. On Monday, a database appeared on the BreachForums hacking forum that was said to hold 697,313 records linked to Substack accounts, according to reporting from BleepingComputer.
The person behind the post claimed the information had been taken and later scraped, adding that “the scraping method used was noisy and patched fast.” Substack has not verified that number, nor confirmed that the leaked database matches what was taken from its systems.
Cybernews reported that Substack hosts tens of millions of subscriptions around the world. That reach has grown steadily since launch in 2017, with the company saying it passed five million paid subscriptions in March 2025.
This is not the first time user contact details have leaked. In July 2020, Substack accidentally exposed email addresses during a privacy policy update by placing recipients in the “to” field rather than “bcc”.
More from News
- Is The Legacy News Model Finally Breaking?
- Experts Weigh In After Bank of England Holds Rates At 3.75% As Inflation Concerns Grow
- What Is Upscrolled, And Why Does It Have So Many Users?
- Yahoo Partners With AI Travel Platform Navan For Its Next Venture. Here’s What It’s For
- India Expands Global Trade Footprint With Five New Agreements
- Nvidia To Invest $20 Billion Into OpenAI As Part Of Their Funding Plans
- Investment In African Tech Startups Up Nearly 50%
- The Department Of Homeland Security Pressures Tech Firms To Reveal Data On Trump Critics: Is Big Tech’s Integrity At Risk?
Why Did It Take Months To Find The Break?
The length of time between the October access and the February discovery has drawn comment from security professionals. Jamie Akhtar, chief executive of CyberSmart, spoke to Cybernews about the risk created by long detection gaps.
“One of the more concerning aspects of this incident is the delay between the initial breach and its discovery,” he said. “Detection gaps create a longer window for attackers to exploit stolen data, often before victims are even aware there is a problem.”
Cybernews also quoted Chris Hauk, a consumer privacy advocate at Pixel Privacy, who said that even contact data can be misused. “While we don’t know exactly how many Substack content creators or users were affected by the breach, it appears only superficial contact information was harvested… That said, the email addresses and phone numbers… could be used… to launch phishing attacks via text or email.”
Paul Bischoff, a consumer privacy advocate at Comparitech, shared a similar view. “Substack users should be on the lookout for targeted phishing emails and scams,” he said.
Substack has told users to take extra care with unexpected emails or text messages. Best wrote, “We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious.”
What Questions Are Creators And Readers Asking?
Reaction has spread across X, as Cybernews mentioned, where writers and subscribers have questioned the length of time the access went unnoticed and the level of protection offered by platforms built on direct trust.
Substack said it has fixed the system problem that allowed the access and has launched an investigation. The company has not shared plans around regulator contact, law enforcement involvement or identity protection services.
For creators who depend on direct links to paying readers, the episode has added unease. Email addresses and phone numbers are a very important aspect in newsletter businesses, and any loss of control can damage confidence.
Substack’s message to users ended with an apology. Best wrote, “I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission… I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”
