Substack Breach May Have Leaked Nearly 700,000 User Details Online
A popular home for independent writers is dealing with a security scare.
Substack has confirmed that hackers accessed user data, exposing email addresses, phone numbers, and internal account details in an incident that went undetected for months.
The subscription-based newsletter platform, which claims to have around 50 million active subscribers, including 5 million paid subscriptions, disclosed the breach in emails sent to affected users this month.
In a notice to users, Substack CEO Chris Best acknowledged the incident and apologized.
“On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata,” Best wrote in the breach notification email.
He added: “This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed.”
The four-month gap has experts concerned
Perhaps the most troubling detail to emerge is the timeline. The unauthorized access happened in October 2025. Substack discovered it on Feb. 3, 2026. That’s roughly 100 days of potential exposure that the company was completely unaware of.
Substack has not explained why it took so long to notice the breach or how the attackers initially gained access. Best, however, said the company has already “fixed the problem with our system that allowed this to happen.” A full investigation is underway, and Substack claims it’s implementing changes to prevent a repeat performance.
“We do not have evidence that this information is being misused,” Best wrote, “but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious.”
Nearly 700,000 records leaked online
While Substack has not disclosed the number of users affected, cybersecurity outlet BleepingComputer reported that a threat actor posted a database containing 697,313 records on the hacking forum BreachForums.
According to that report, the attacker claimed the data was scraped and said the “scraping method used was noisy and patched fast.” Substack has not publicly confirmed the exact number of impacted users.
Longtime users might feel a sense of déjà vu. Back in July 2020, Substack accidentally exposed some users’ email addresses by including them in the ‘to’ line of a privacy policy update email instead of the ‘bcc’ field. That was an embarrassing mistake, but a far cry from a targeted breach by an unauthorized third party.
Also read: A recent campaign shows how phishing emails can look legitimately “trusted,” even when they’re designed to steal data.
About Author
