Substack Discloses Security Breach Exposing User Email Addresses and Phone Numbers

05.02.2026

Newsletter platform Substack has officially confirmed a significant data breach affecting user accounts, disclosing the incident via email communication to its user base. The company revealed that in October, an unauthorized third party successfully gained access to user data, compromising email addresses, phone numbers, and additional internal metadata that has not been fully specified.

According to the breach notification, more sensitive information including credit card numbers, passwords, and financial data remained secure and was not accessed during the incident. Substack CEO Chris Best stated in the user notification that the company identified the security vulnerability in February that enabled the unauthorized system access.

"I'm reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission," Best wrote in the email. "I'm incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here."

Best confirmed that the security issue has been remediated and an internal investigation has been initiated. However, several critical questions remain unanswered:

• The specific nature of the system vulnerability that was exploited
• The complete scope and volume of data accessed
• The reason for the five-month delay between the breach occurrence and its detection
• Whether the company received any ransom demands from threat actors

Substack has not disclosed the total number of affected users. While the company stated it has found no evidence of data misuse, it did not specify what technical measures, such as log analysis or monitoring systems, are being employed to detect potential abuse.

The platform advised users to exercise caution with incoming emails and text messages, though no specific indicators of compromise or actionable guidance were provided. According to Substack's public data, the platform maintains over 50 million active subscriptions, including 5 million paid subscriptions as of March 2024.

In July 2025, Substack secured $100 million in Series C funding led by BOND and The Chernin Group (TCG), with participation from a16z, Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.

Tags: Substack user data data breach cybersecurity incident security vulnerability

Share: VK Telegram Twitter