Substack Breach Exposes 700K Users' Emails and Phones

Newsletter platform Substack confirmed a data breach affecting approximately 700,000 users after discovering that an unauthorized third party accessed its systems. The intrusion happened in October 2025 but went undetected until February 3, 2026—four months of exposure before anyone noticed.

Substack CEO Chris Best told users in a notification email that the company found "evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission." The disclosure came after a hacker began leaking stolen data on dark web forums, effectively forcing the company's hand.

What Was Exposed

The attacker accessed:

• Email addresses
• Phone numbers
• Names and bios
• Profile pictures
• User IDs
• Internal metadata

Substack says credit card numbers, passwords, and financial information were not compromised. That's a meaningful distinction, but email addresses and phone numbers are still valuable for targeted phishing campaigns—especially when tied to subscriber lists that reveal someone's interests and reading habits. We've seen how stolen contact data fuels sophisticated phishing campaigns like the Tycoon2FA operation that targeted millions of inboxes.

Four Months of Silence

The gap between October 2025 and February 2026 is the real story here. Four months is a long time for an attacker to sit on stolen contact information, and Substack only discovered the breach after stolen data started circulating publicly.

That detection failure puts Substack in a difficult position. The SoundCloud breach followed a similar pattern where data circulated before the platform acknowledged the problem. Users who were exposed in October had no opportunity to watch for suspicious activity during the most dangerous window—the period immediately after a breach, when stolen data is freshest and most valuable for attackers.

This is Substack's second known security incident. The first, back in 2020, was comparatively minor: the company accidentally CC'd user email addresses in a bulk policy update instead of using BCC. The 2026 breach is orders of magnitude more serious.

What Affected Users Should Do

If you have a Substack account—whether as a writer, subscriber, or both—take these steps:

1. Watch for phishing emails that reference your Substack subscriptions or writing. Attackers with your email, name, and subscriber metadata can craft targeted messages that look legitimate
2. Be skeptical of texts from unknown numbers, especially those referencing newsletter content or Substack features
3. Review your email for suspicious login attempts on other platforms—credential stuffing attacks often follow email leaks
4. Consider using email aliases for newsletter subscriptions going forward, limiting exposure from future platform breaches

The Platform Trust Problem

Substack has positioned itself as the home for independent writers and journalists, many of whom cover sensitive topics—politics, national security, corporate accountability. The subscriber lists of those publications aren't just email addresses. They're intelligence: who reads what, which topics draw engagement, and how to reach those audiences.

For writers covering sensitive subjects, a leaked subscriber list creates real risks beyond spam. Sources who subscribe under personal email addresses may face exposure. Readers in authoritarian countries who subscribe to dissident publications now have a record of that activity in criminal hands.

This connects to a broader pattern of platform security failures where user trust data—the kind that reveals behaviors and interests rather than just identities—becomes a liability when breached. It's the same dynamic we've seen with social engineering attacks that exploit personal context to manipulate targets.

Why This Matters

The Substack breach is modest in scale compared to incidents like the Conduent breach affecting 25.9 million Americans. But size isn't everything. The nature of the data—subscriber relationships, reading habits, contact details tied to interest profiles—makes this breach qualitatively different from a typical records dump.

And the four-month detection gap is a reminder that many breaches only come to light when attackers choose to make them public. For every breach we know about, there are almost certainly others still running silently. Check our online safety tips for guidance on minimizing your exposure across platforms.