Substack Data Breach Exposes Email Addresses, Phone Numbers
Substack has confirmed a data breach exposing users' email addresses and phone numbers to an unauthorized third party. The incident occurred in October 2025 but wasn't detected until February 2026—raising urgent questions about notification delays and platform security. Crucially, payment details, passwords, and financial data remain secure. If you publish or subscribe to newsletters on Substack, here's what you need to know right now to protect your digital footprint.
Credit: Rafael Henrique/SOPA Images/LightRocket / Getty Images
How the Breach Unfolded: A Five-Month Blind Spot
In a direct email to users, Substack CEO Chris Best disclosed that attackers exploited an unknown vulnerability in the company's systems last October. The breach granted access to contact information and internal metadata—but went undetected for nearly five months. Best acknowledged the failure plainly: "We came up short here."
Security experts note that extended detection windows often indicate insufficient monitoring protocols or overlooked anomaly alerts. While Substack hasn't clarified whether ransom demands preceded disclosure, the timeline suggests internal discovery rather than external pressure triggered the announcement. This delay matters: every extra day gives bad actors more time to weaponize stolen contact details for phishing campaigns or identity profiling.
What Was Compromised—and What Remains Safe
The breach specifically exposed two high-value data points: email addresses and phone numbers tied to Substack accounts. These identifiers fuel targeted scams, SIM-swapping attempts, and social engineering attacks. Internal metadata—likely including subscription activity, device types, or IP logs—may also have been accessed, though Substack hasn't specified its nature.
Critically, Substack confirmed that core security layers held firm. Credit card numbers, bank details, passwords, and cryptographic keys were never at risk. Payment processing occurs through isolated, PCI-compliant gateways, while passwords remain hashed using industry-standard algorithms. This separation likely prevented catastrophic fallout—but contact data alone carries serious real-world consequences.
Why Notification Timing Raises Red Flags
Users rightly wonder: why wait until February to disclose an October breach? Legally, many jurisdictions require companies to notify affected individuals "without unreasonable delay" after confirming a breach. Substack's five-month gap sits uncomfortably close to that boundary.
Possible explanations include forensic complexity—tracing an attacker's path through systems takes time—or cautious legal review before public statements. Yet transparency builds trust. Had Substack alerted users weeks earlier, individuals could have preemptively fortified accounts against spear-phishing. The company now urges vigilance but offers no concrete evidence of active misuse—leaving users to navigate uncertainty without clear threat indicators.
Scale of Impact: Millions in the Crosshairs
Substack hasn't disclosed exact breach numbers—a significant omission given its scale. The platform hosts over 50 million active subscriptions, including 5 million paid relationships. Even a fraction of that base represents massive exposure.
Consider the ripple effect: a single compromised creator account could leak subscriber lists across dozens of niche newsletters. Journalists, analysts, and activists using Substack for sensitive communications face elevated risks. Unlike social media handles, email and phone numbers are persistent identity anchors—difficult to replace and easily weaponized across platforms.
Substack's Response: Apologies and Action Steps
Best's user email emphasized three remediation actions: patching the exploited vulnerability, launching a forensic investigation with third-party security firms, and enhancing monitoring systems. The company also committed to ongoing updates—a promise users should hold them to.
Yet the guidance for affected individuals feels thin. Substack vaguely advises caution with unsolicited messages but omits concrete steps like enabling two-factor authentication (2FA) or checking HaveIBeenPwned. For a platform built on creator-reader trust, this reactive stance feels insufficient. Proactive protection—not just corporate apologies—defines true accountability.
What You Must Do Today: A Practical Defense Plan
Don't wait for signs of misuse. Act now with these layered defenses:
First, treat all unexpected emails or texts referencing Substack with extreme skepticism. Scammers will impersonate "Substack Security" to harvest passwords. Never click links in unsolicited messages—log in directly via your browser instead.
Second, enable 2FA immediately on your Substack account and any services sharing that email address. Use an authenticator app rather than SMS-based codes, since phone numbers were exposed. This blocks 99% of automated account takeovers.
Third, freeze your credit with major bureaus if you used a dedicated email for financial services. While payment data wasn't breached, attackers cross-reference leaked contacts with other databases to build identity profiles. A credit freeze costs nothing and prevents fraudulent account openings.
Finally, consider a dedicated email alias for newsletter subscriptions. Services like SimpleLogin or Apple's Hide My Email let you mask your primary address—containing future breaches to disposable inboxes.
Newsletter Platforms Under Scrutiny
This incident spotlights a growing vulnerability: the centralization of creator economies on single platforms. Substack, Beehiiv, and Ghost hold intimate reader data once scattered across personal websites. That convenience creates attractive targets.
Platforms must adopt zero-trust architectures—assuming breaches will happen and designing systems to minimize blast radius. Contact data should be encrypted at rest, access logs rigorously audited, and breach detection automated with AI-driven anomaly spotting. Most importantly, companies must prioritize rapid disclosure. Users deserve agency to protect themselves—not delayed apologies after damage is done.
Rebuilding Trust Starts With Transparency
Substack's breach wasn't catastrophic—but its handling risks lasting reputational harm. Creators choose platforms based on perceived safety for their audiences. When contact data leaks, that covenant fractures.
Moving forward, Substack must do more than patch code. Publish a detailed post-incident review naming the vulnerability type and timeline. Offer free identity monitoring to affected users. And advocate industry-wide for faster breach disclosure standards. Trust isn't restored through emails alone—it's earned through visible, structural change.
Your Data, Your Defense
No platform is breach-proof. But your resilience depends on layered habits: unique passwords, 2FA everywhere, and healthy skepticism toward unsolicited messages. Treat this incident as a wake-up call—not just for Substack, but for your entire digital hygiene.
The attackers didn't get your password or credit card. But they got keys to your digital front door. Change the locks now. Monitor who's knocking. And remember: in today's internet, vigilance isn't paranoia—it's self-preservation.
Substack's breach reminds us that our data's safety hinges on both corporate responsibility and personal action. Demand better from platforms. But never outsource your security entirely. In the attention economy, your contact details are currency—and you're the only one who can truly guard the vault.
