Substack Data Breach Exposes User Emails and Phone Numbers
▼ Summary
– Substack has notified some users that their account-linked email addresses and phone numbers were exposed in an unauthorized data access incident in October 2025.
– The company’s CEO stated that passwords, credit card numbers, and other financial information were not compromised in the security breach.
– Substack has fixed the security problem and is conducting a full investigation while strengthening its systems to prevent future issues.
– The platform did not disclose the nature of the security flaw or the exact number of users affected by the incident.
– The CEO apologized for the breach, acknowledging the company’s responsibility to protect user data and privacy.
Users of the popular newsletter platform Substack are being alerted about a significant data breach that occurred last year, which exposed personal contact information. The company has begun notifying affected account holders that an unauthorized third party accessed internal systems in October 2025, compromising email addresses and phone numbers linked to user accounts. According to an email from CEO Chris Best, the incident did not expose more sensitive data like passwords, credit card details, or other financial information. The platform has assured users that it has since resolved the security flaw and is conducting a thorough investigation.
The breach was identified on February 3rd, when evidence surfaced of a system vulnerability that allowed the unauthorized access. In his communication, Best stated that the compromised data included email addresses, phone numbers, and certain internal metadata. He emphasized that there is currently no evidence this information is being actively misused. However, the company is advising all users to exercise increased caution with any unsolicited emails or text messages that appear suspicious, as such data can be used for phishing attempts.
Substack has committed to strengthening its security measures to prevent similar incidents moving forward. The notification did not specify the exact nature of the security issue or reveal the total number of users impacted. Reports indicate that the notifications have not been universal, with some users, including several journalists, confirming they did not receive the alert. The company has not yet provided further public clarification on these details.
CEO Chris Best expressed regret over the incident, acknowledging a failure in their duty to protect user privacy. “I’m incredibly sorry this happened,” he wrote. “We take our responsibility to protect your data and your privacy seriously, and we came up short here.” The platform’s response includes fixing the identified vulnerability and undertaking a comprehensive review of its systems. For users, the primary concern remains the exposure of direct contact information, which could lead to targeted spam or social engineering attacks, underscoring the importance of vigilance in digital communications.
(Source: The Verge)
