Substack Confirms Data Breach Exposing User Contact Information
Learn More
The digital publishing platform Substack confirmed a data breach on February 4, 2026, after discovering attackers had accessed its systems. The incident occurred in October 2025 and was publicly confirmed by CEO Chris Best.
The breach was apparently caused by from a system flaw that allowed an external actor to access user data. Substack was unaware of the intrusion for approximately five months, and detected the issue on February 3, 2026. Although the specific technical vulnerability was not detailed, the company stated it has since fixed the underlying problem to prevent further unauthorized access.
The company confirmed the following data was compromised:
- Email addresses
- Phone numbers
- Internal metadata
A threat actor on BreachForums claims the stolen data also includes:
- Full names
- User IDs
- Stripe IDs
- Profile pictures and biographies
The threat actor claims to have stolen 697,313 records. Substack has not confirmed the number of affected individuals. The company claims that passwords, credit card numbers, and other financial information were not accessed. The organization notified affected users via email, apologizing for the security failure.
Users should monitor their accounts for phishing attempts. Security experts recommend enabling two-factor authentication (2FA) and being careful of unexpected texts or emails.
