Substack Breach Exposes 700K Users' Emails and Phones
Substack's October 2025 breach went undetected for four months. 700,000 users' email addresses and phone numbers were accessed by an unauthorized third party.
Newsletter platform Substack confirmed a data breach affecting approximately 700,000 users after discovering that an unauthorized third party accessed its systems. The intrusion happened in October 2025 but went undetected until February 3, 2026—four months of exposure before anyone noticed.
Substack CEO Chris Best told users in a notification email that the company found "evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission." The disclosure came after a hacker began leaking stolen data on dark web forums, effectively forcing the company's hand.
What Was Exposed
The attacker accessed:
- Email addresses
- Phone numbers
- Names and bios
- Profile pictures
- User IDs
- Internal metadata
Substack says credit card numbers, passwords, and financial information were not compromised. That's a meaningful distinction, but email addresses and phone numbers are still valuable for targeted phishing campaigns—especially when tied to subscriber lists that reveal someone's interests and reading habits. We've seen how stolen contact data fuels sophisticated phishing campaigns like the Tycoon2FA operation that targeted millions of inboxes.
Four Months of Silence
The gap between October 2025 and February 2026 is the real story here. Four months is a long time for an attacker to sit on stolen contact information, and Substack only discovered the breach after stolen data started circulating publicly.
That detection failure puts Substack in a difficult position. The SoundCloud breach followed a similar pattern where data circulated before the platform acknowledged the problem. Users who were exposed in October had no opportunity to watch for suspicious activity during the most dangerous window—the period immediately after a breach, when stolen data is freshest and most valuable for attackers.
This is Substack's second known security incident. The first, back in 2020, was comparatively minor: the company accidentally CC'd user email addresses in a bulk policy update instead of using BCC. The 2026 breach is orders of magnitude more serious.
What Affected Users Should Do
If you have a Substack account—whether as a writer, subscriber, or both—take these steps:
- Watch for phishing emails that reference your Substack subscriptions or writing. Attackers with your email, name, and subscriber metadata can craft targeted messages that look legitimate
- Be skeptical of texts from unknown numbers, especially those referencing newsletter content or Substack features
- Review your email for suspicious login attempts on other platforms—credential stuffing attacks often follow email leaks
- Consider using email aliases for newsletter subscriptions going forward, limiting exposure from future platform breaches
The Platform Trust Problem
Substack has positioned itself as the home for independent writers and journalists, many of whom cover sensitive topics—politics, national security, corporate accountability. The subscriber lists of those publications aren't just email addresses. They're intelligence: who reads what, which topics draw engagement, and how to reach those audiences.
For writers covering sensitive subjects, a leaked subscriber list creates real risks beyond spam. Sources who subscribe under personal email addresses may face exposure. Readers in authoritarian countries who subscribe to dissident publications now have a record of that activity in criminal hands.
This connects to a broader pattern of platform security failures where user trust data—the kind that reveals behaviors and interests rather than just identities—becomes a liability when breached. It's the same dynamic we've seen with social engineering attacks that exploit personal context to manipulate targets.
Why This Matters
The Substack breach is modest in scale compared to incidents like the Conduent breach affecting 25.9 million Americans. But size isn't everything. The nature of the data—subscriber relationships, reading habits, contact details tied to interest profiles—makes this breach qualitatively different from a typical records dump.
And the four-month detection gap is a reminder that many breaches only come to light when attackers choose to make them public. For every breach we know about, there are almost certainly others still running silently. Check our online safety tips for guidance on minimizing your exposure across platforms.
Related Articles
AssuranceAmerica Breach Exposes 6.9M Driver's License Numbers
Insurance provider AssuranceAmerica disclosed a data breach affecting 6.9 million customers—the largest known exposure of driver's license numbers in 2026. Attackers compromised employee credentials.
Jul 11, 2026Accenture Confirms Breach: 35GB Source Code, Keys Stolen
Threat actor '888' offers 35GB of Accenture data for sale including source code, RSA keys, SSH keys, and Azure tokens. Third major breach for the IT giant.
Jul 8, 2026Medtronic Breach Exposes 3.8 Million Patients' Health Data
Pacemaker maker Medtronic notifies 3.8 million patients after April breach exposed SSNs and health information. ShinyHunters claims responsibility for the attack.
Jul 4, 2026KDDI Breach Exposes 14.2 Million Email Credentials Across Japan
A vulnerability in third-party software let attackers access KDDI's shared email platform, potentially exposing login credentials for 6 Japanese ISPs.
Jun 30, 2026