Substack Data Breach Exposes User Emails and Phone Numbers
▼ Summary
– Substack confirmed a data breach where an unauthorized party accessed user data like email addresses and phone numbers in October.
– Sensitive information such as credit card numbers and passwords was not compromised in the incident.
– The company discovered and fixed the security issue in February, then began an investigation and apologized to users.
– Substack has not disclosed the number of affected users or the exact cause, and it took five months to detect the breach.
– The platform has over 50 million active subscriptions and raised $100 million in funding in July 2025.
Popular newsletter platform Substack has notified its user base of a significant data security incident, confirming that an unauthorized party gained access to subscriber information. The breach, which occurred in October, involved the exposure of user email addresses and phone numbers, along with certain internal metadata. According to the company’s statement, more critical financial data like credit card details and account passwords remained secure and were not compromised.
Chief Executive Chris Best communicated the news directly to users via email, expressing regret over the failure to protect their information. He explained that the vulnerability within Substack’s systems was identified and subsequently remedied in February, with a formal investigation launched at that time. “I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission,” Best wrote. “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”
Several important questions remain unanswered following the disclosure. The technical nature of the system flaw and the full extent of the data accessed have not been publicly detailed. Furthermore, the five-month gap between the breach and its detection raises concerns about the platform’s security monitoring, and it is unknown whether the intruders attempted any form of ransom demand. The company has not provided specifics on how many of its millions of users were impacted by this event.
In its communication, Substack stated it has not found evidence that the stolen data is currently being misused. However, the company did not elaborate on the technical methods, such as log analysis, used to reach this conclusion. As a precaution, users have been advised to exercise increased vigilance with unsolicited emails and text messages. The platform, which reports over 50 million active subscriptions and 5 million paid subscribers, secured a substantial $100 million in funding last year from notable investors including BOND and The Chernin Group.
(Source: TechCrunch)
