# Substack Admits Security Breach Exposed Contact Info
Substack, the popular newsletter platform powering millions of independent creators, has confirmed a major security breach that exposed users' email addresses and phone numbers to an unauthorized third party.[1][2][4] CEO Chris Best disclosed the incident in emails to affected users, revealing the hack occurred in October 2025 but went undetected until February 3, 2026, sparking concerns over the company's data protection practices.[1][2][5]
Breach Details: What Data Was Compromised?
The intrusion allowed hackers to access email addresses, phone numbers, and other internal metadata from Substack accounts, providing scammers with a potential treasure trove for phishing attacks.[1][2][3][4] Substack emphasized that more sensitive information, including passwords, credit card numbers, and financial data, remained secure and untouched.[1][2][4][5] The company has not disclosed the exact number of impacted users, though its platform boasts over 50 million active subscriptions, including 5 million paid ones.[2][4]
Discovered on February 3 after months of undetected access, the breach highlights vulnerabilities in Substack's systems, with no details released on the entry method or scope.[1][2][4] Best stated in notifications: "We identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission."[1][5] This four-to-five-month delay in detection has drawn scrutiny amid rising expectations for robust security on content platforms.[1][2]
Substack's Response and Ongoing Investigation
Substack acted swiftly upon discovery, patching the exploited vulnerability and launching a comprehensive investigation to prevent future incidents.[1][2][3][4][5] "We have fixed the problem with our system that allowed this to happen," Best assured users, while committing to enhanced processes.[4][5] The platform urged heightened vigilance against suspicious emails or texts, noting no current evidence of data misuse but acknowledging phishing risks.[1][2][3][4]
Transparency efforts include direct notifications to affected account holders, where Best apologized: "I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came short here."[2][5] However, Substack has withheld technical specifics on the flaw or detection methods, prompting questions from outlets like TechCrunch and BleepingComputer.[2][4] This marks the second notable privacy issue for the platform since a 2020 email exposure mishap.[4]
Implications for Users and the Creator Economy
The breach arrives as Substack cements its role as a haven for journalists and creators ditching traditional media, backed by a July 2025 $100 million funding round.[1][2][4] With phishing scammers now armed with contact details, users face elevated risks of targeted fraud, underscoring the need for data breach vigilance in the booming newsletter space.[1][3] Independent creators relying on subscriber trust may hesitate, amplifying pressure on Substack to rebuild confidence through superior security.[1]
Broader industry trends show mounting cyber threats to platforms handling creator economies, where user data fuels personalized content and monetization.[1][2] Substack's mishap serves as a cautionary tale, emphasizing proactive monitoring to safeguard the independent publishing ecosystem.[3]
Frequently Asked Questions
What exactly was exposed in the Substack data breach?
Email addresses, phone numbers, and internal metadata were accessed by an unauthorized party in October 2025, but passwords, credit cards, and financial info were not compromised.[1][2][4][5]
When did the Substack breach occur and when was it discovered?
The unauthorized access happened in October 2025, but Substack only identified it on February 3, 2026—about four to five months later.[1][2][4]
How many Substack users were affected by the breach?
Substack has not disclosed the number of impacted users, despite serving over 50 million active subscriptions.[2][4]
What is Substack doing to address the security breach?
The company fixed the system vulnerability, launched a full investigation, and notified users while improving processes to prevent recurrence.[1][2][4][5]
Should Substack users be worried about phishing after the breach?
Yes, remain cautious of suspicious emails or texts, as exposed contact info could fuel phishing scams, though no misuse evidence exists yet.[1][2][3][4]
Has Substack experienced data breaches before?
This is the second incident; in 2020, user emails were accidentally exposed in a privacy policy update email.[4]
🔄 Updated: 2/5/2026, 3:10:58 PM
**LIVE NEWS UPDATE: Substack Breach Sparks Global Alarm Over Phishing Risks**
Substack's breach, exposing email addresses and phone numbers of users worldwide—including from its **50 million active subscriptions across 150+ countries**—has heightened phishing fears for independent creators and journalists globally, with CEO Chris Best admitting, **"We came up short here"** in a notification to affected accounts.[1][2][5] International regulators in the EU and elsewhere are probing potential GDPR violations due to the undetected October 2025 access until February 3, while no official responses yet from bodies like the UK's ICO or Australia's OAIC, amid warnings of scam surges targeting global subscribers.[3][7] Substack report
🔄 Updated: 2/5/2026, 3:21:09 PM
**LIVE NEWS UPDATE: Regulators Eye Substack Breach Amid Data Protection Probes**
No formal regulatory actions have been announced against Substack following its February 3 disclosure of the October 2025 breach exposing user email addresses, phone numbers, and metadata, but experts warn of looming scrutiny under GDPR and CCPA for the four-month detection delay.[3] The company has not confirmed notifying law enforcement or offering identity protection, leaving open questions on compliance in affected jurisdictions.[3] "Substack also has not confirmed whether it will face regulatory scrutiny under data protection laws," one report notes, as affected users—potentially from its 50 million active subscriptions—await further developments.[2][3]
🔄 Updated: 2/5/2026, 3:30:57 PM
**Substack disclosed a security breach that exposed user email addresses and phone numbers after an unauthorized party accessed its systems in October 2025, with the company only discovering the intrusion on February 3rd—a four-month detection gap[1][2].** CEO Chris Best stated in breach notifications that "credit card numbers, passwords, and financial information were not accessed," though the company has not disclosed how many of its 50 million active subscriptions were affected[2][3].** The platform has fixed the vulnerability and launched an investigation, while warning users to exercise caution with suspicious emails and text messages that could exploit the exposed contact information[1][3].**
🔄 Updated: 2/5/2026, 3:40:58 PM
**LIVE NEWS UPDATE: Substack Breach Fallout**
Security experts are slamming Substack's **four-month detection delay** from the October 2025 intrusion to its February 3 discovery, with TechBuzz analysts warning it "raises serious questions about the company's security monitoring capabilities" amid rising threats to creator platforms[1]. Cybersecurity commentator Brian Harris highlighted the breach's phishing risks, noting exposed emails and phones create a "potential goldmine" for scammers, especially as Substack boasts over **50 million active subscriptions** including **5 million paid** without disclosing affected user numbers[2][1]. CEO Chris Best admitted in notifications, "We came up short here," as industry voices urge transparency on the undetected vulnerability[
🔄 Updated: 2/5/2026, 3:50:57 PM
**LIVE UPDATE: No Confirmed Regulatory Response to Substack Breach**
As of February 5, 2026, no government agencies or regulators have publicly responded to Substack's disclosure of a security breach exposing user email addresses, phone numbers, and internal metadata from an October 2025 intrusion detected on February 3[1][3]. Substack has not confirmed notifying law enforcement or facing scrutiny under data protection laws, despite a hacker claiming to have stolen nearly **700,000** user records[5][1]. Sources indicate potential vulnerability to regulations like GDPR or CCPA, but no investigations, fines, or official statements have emerged[1].
🔄 Updated: 2/5/2026, 4:01:03 PM
**Substack Data Breach Update: Global Fallout Mounts as Hacker Claims 700,000 Records Stolen**
A hacker claims to have stolen nearly **700,000 Substack user records**—including email addresses, phone numbers, full names, user IDs, and social media handles—from the October 2025 breach, affecting subscribers worldwide across the platform's **50 million active subscriptions**[2][6]. With no international regulatory responses disclosed yet, CEO Chris Best's notification urged global users to "take extra caution with any emails or text messages you receive that may be suspicious," as the four-month detection delay heightens phishing risks for creators and readers in multiple jurisdictions[1][5]. Investigations continue without evidence of misuse, but experts warn o
🔄 Updated: 2/5/2026, 4:11:04 PM
**LIVE UPDATE: No Regulatory or Government Response to Substack Breach Yet**
As of 4 PM UTC, no government agencies or regulators have issued statements or launched investigations into Substack's October 2025 security breach, which exposed email addresses and phone numbers of nearly **700,000 users** undetected until February 3, 2026[6]. A hacker has leaked the data on the dark web, but authorities like the FTC or EU data protection bodies remain silent despite the platform's **50 million active subscriptions**[3]. Substack CEO Chris Best stated, **"We have fixed the problem... and are conducting a full investigation,"** with no official probes announced[1][2].
🔄 Updated: 2/5/2026, 4:21:08 PM
Substack has not disclosed any regulatory or government response to the breach as of this update.[1][3] The company has also not confirmed whether it has notified law enforcement about the incident or disclosed whether it will face regulatory scrutiny under data protection laws in jurisdictions where affected users reside.[1] A hacker claims to have stolen nearly 700,000 Substack user records in the October 2025 breach, which went undetected for four months until the company discovered it on February 3.[5]
🔄 Updated: 2/5/2026, 4:31:09 PM
**Substack Breach Sparks Global Alarm Over Phishing Risks to 50 Million+ Users.** A hacker claims to have stolen nearly **700,000 user records**—including email addresses and phone numbers—from the platform's October 2025 breach, threatening subscribers worldwide across its **50 million active subscriptions**[3][6]. With no international regulatory responses detailed yet, CEO Chris Best warned globally affected users: “We take our responsibility to protect your data and your privacy seriously, and we came up short here,” urging vigilance against phishing amid potential scrutiny under data laws in multiple jurisdictions[1][3].
🔄 Updated: 2/5/2026, 4:41:09 PM
**Substack Data Breach Sparks Global Phishing Fears as Hacker Leaks 700,000 User Records.** A hacker claims to have stolen nearly **700,000 Substack user records**—including email addresses and phone numbers from an October 2025 intrusion disclosed February 3—potentially fueling international phishing campaigns targeting the platform's **50 million active subscriptions** across creators worldwide[2][6]. With no formal responses yet from regulators like the EU's GDPR enforcers or U.S. FTC, CEO Chris Best urged global users to "take extra caution with any emails or text messages you receive that may be suspicious," as exposed metadata risks scams in multiple languages and regions[1][4].
🔄 Updated: 2/5/2026, 4:51:08 PM
Substack CEO Chris Best disclosed a data breach affecting an unknown number of users, apologizing directly to affected account holders by stating "This sucks. I'm sorry" and "We came up short here."[1][3] A database allegedly containing 697,313 stolen Substack records was leaked on the hacking forum BreachForums, exposing email addresses, phone numbers, and internal metadata that had been compromised since October 2025 but went undetected for four months.[1][7] While Best assured users that passwords and financial information remained secure, the months-long detection gap has raised serious concerns about the platform's security monitoring capabilities at a time when content creators are increasingly choosing Sub
🔄 Updated: 2/5/2026, 5:01:10 PM
Substack CEO Chris Best confirmed in emails to users that a security breach in **October 2025** allowed unauthorized access to **email addresses, phone numbers, and internal metadata**, discovered only on **February 3, 2026**, with the vulnerability now fixed and a full investigation underway.[1][3][4] A hacker leaked what they claim is a database of **nearly 697,313 Substack user records** on BreachForums, including full names, user IDs, Stripe IDs, profile pictures, biographies, account creation dates, and social media handles, prompting Substack's notifications.[4][7] Best emphasized no passwords, credit cards, or financial data were compromised, urging users to beware suspicious messages, ami
🔄 Updated: 2/5/2026, 5:11:12 PM
**Substack Data Breach Update:** A hacker claims to have leaked nearly **700,000 user records** from the October 2025 breach, including email addresses, phone numbers, full names, user IDs, Stripe IDs, profile pictures, biographies, account creation dates, and social media handles—details exceeding Substack's official disclosure.[5][3] CEO Chris Best confirmed in emails to users: "On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission," adding, "I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came short here."[1][2][3] Substack report
🔄 Updated: 2/5/2026, 5:21:13 PM
**LIVE NEWS UPDATE: Substack Breach – Regulatory Scrutiny Mounts**
No specific regulatory or government responses have been announced as of February 5, 2026, following Substack's February 3 disclosure of the October 2025 breach exposing email addresses, phone numbers, and metadata for nearly **700,000 user records**, per hacker claims cited in reports[1][6]. CEO Chris Best's email admitted, **"We take our responsibility to protect your data and your privacy seriously, and we came short here,"** prompting warnings of potential investigations under data protection laws like GDPR or CCPA given the platform's **over 50 million active subscriptions**[2][4]. Officials have yet to comment publicly, but expert
🔄 Updated: 2/5/2026, 5:31:21 PM
**LIVE NEWS UPDATE: Substack Breach Sparks User Outrage Over Exposed Data**
Substack users are flooding social media and creator forums with anger after CEO Chris Best's email admitted a hacker accessed **nearly 700,000 user records**—including emails, phone numbers, full names, and social media handles—from an October 2025 breach undetected until February 3[6]. One creator posted on Substack, *"How many of you all did too??!"* alongside Best's apology: *"I’m incredibly sorry this happened. We take our responsibility... and we came short here,"* prompting widespread demands for transparency on the four-month delay[4][1][2]. Reports of **phishing fears** surg