Newsletter platform Substack has confirmed it suffered a security incident, leading to the compromise of users’ email addresses and phone numbers.
Chris Best, the CEO of Substack, notified users of the data breach in an email sent to some users on February 5.
The CEO said his security team detected the incident on February 3, noticing “evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers and other internal metadata.”
He also added that no financial information, including credit card numbers, or passwords were accessed.
Best further explained that the data collection occurred in October 2025 and claimed that the Substack security team has now “fixed the problem with our system that allowed this to happen.” No further information on the incident was provided.
Substack is now conducting a full investigation and is taking steps to improve our systems and processes to prevent this type of issue from happening in the future.
Speaking to Infosecurity, a Substack spokesperson said an unauthorized party was able to access limited account information “during a short window.”
“Once we became aware, the issue was addressed and additional safeguards were put in place. We cannot share specifics about our security systems and processes, but we can confirm that the issue has been resolved,” they added.
No further information on the incident was provided and the Substack CEO did not specify the number of affected users or clarify why the breach was only detected four months after it happened.
Substack reported having over 50 million active subscriptions, including five million paid, as of March 2025.
Javvad Malik, a lead security awareness advocate at KnowBe4 said that while transparent breach notifications “should always be commended,” this one is “a bit light on the details which does not help people accurately judge the risk and take concrete action.”
“The phrase ‘limited user data’ is particularly vague. Email addresses and phone numbers are enough for targeted phishing, SIM-swap attempts, or doxxing. Even if passwords weren’t accessed, attackers don’t need passwords if they can socially engineer users,” Malik said.
“The timeline is significant. If the data was accessed in October 2025, but only just disclosed, it’s a significant dwell time. That isn’t to say there’s negligence on part of Substack because detection can be difficult,” Malik commented. “But impacted users deserve a clearer explanation of how the breach was identified and which monitoring controls failed to detect it initially, and most importantly, what’s changing as a result.”
Chris Hauk, a consumer privacy advocate at Pixel Privacy, urged Substack users to “practice extra care” when dealing with unexpected messages, emails or calls, while Paul Bischoff, also a consumer privacy advocate at Comparitech emphasized that they should be “on the lookout for targeted phishing emails and scams.”
Image credits: Azulblue / Shutterstock
