Substack Confirms Data Breach Exposing User Information
▼ Summary
– Substack experienced a security breach where an unauthorized third party accessed limited user data, including email addresses and phone numbers, but not financial information or passwords.
– The breach occurred in October 2025, was detected on February 3, 2026, and the company has since fixed the system vulnerability that allowed it.
– Substack’s notification to users has been criticized by security experts for being vague on details, such as the number of affected users and the reason for the four-month detection delay.
– Security advocates warn that the compromised data is sufficient for targeted phishing, SIM-swapping, or doxxing attacks, urging users to be extra cautious.
– The company is conducting a full investigation and implementing improvements to prevent future incidents, but has not shared specifics about its security processes.
The popular newsletter platform Substack has confirmed a security breach that resulted in unauthorized access to user data, including email addresses and phone numbers. The company’s CEO, Chris Best, informed users about the incident in a notification sent on February 5th. According to the message, the security team identified evidence of the breach on February 3rd, which allowed an outside party to obtain limited user data without permission. The compromised information reportedly includes email addresses, phone numbers, and some internal metadata.
Importantly, the company stated that no financial information, including credit card numbers, or passwords were accessed during this incident. Best explained that the unauthorized data collection actually took place back in October 2025. He assured users that the specific system vulnerability enabling the breach has now been fixed. Substack is conducting a full investigation and implementing measures to strengthen its systems against future threats.
A company spokesperson provided additional context to media, describing the event as an unauthorized party accessing limited account information “during a short window.” They confirmed that once the issue was discovered, it was promptly addressed and extra safeguards were established. The spokesperson declined to share specific details about internal security processes but reiterated that the problem is resolved.
The notification did not specify the total number of users impacted by this breach, nor did it clarify why the intrusion, which occurred in October, was not detected until February. Substack reported having more than 50 million active subscriptions, with five million being paid, as of March 2025.
Security experts have responded to the announcement with a mix of acknowledgment and concern. Javvad Malik, a lead security awareness advocate at KnowBe4, noted that while transparent breach notifications are commendable, this particular disclosure lacks crucial details. He pointed out that the phrase ‘limited user data’ is particularly vague, as email addresses and phone numbers are powerful tools for attackers. This information can facilitate targeted phishing campaigns, SIM-swap attempts, or doxxing. Malik emphasized that even without passwords, criminals can use this data for effective social engineering attacks.
Malik also highlighted the significant timeline of the breach. The fact that data was accessed in October 2025 but only disclosed in February represents a considerable dwell time. He clarified that this doesn’t necessarily imply negligence on Substack’s part, as detection can be inherently challenging. However, impacted users deserve a clearer explanation of how the breach was eventually identified, which monitoring controls initially failed, and what specific changes are being made to prevent a recurrence.
Other privacy advocates have issued direct warnings to Substack’s user base. Chris Hauk of Pixel Privacy urged individuals to practice extra care when dealing with unexpected messages, emails, or calls. Similarly, Paul Bischoff from Comparitech advised users to be on the lookout for targeted phishing emails and scams that may leverage the stolen contact information.
(Source: InfoSecurity Magazine)
