Substack Confirms Data Breach Exposing User Contact Information
Substack, the popular newsletter platform, has begun notifying a subset of its users that their email addresses and phone numbers were compromised in a security incident that occurred last year. The company disclosed that an unauthorized third party gained access to internal systems, leading to the exposure of sensitive user data.
Details of the Security Incident
In an email communication to affected account holders, Substack CEO Chris Best revealed that the breach took place in October 2025. The hacker infiltrated the platform's internal data repositories without authorization, specifically accessing limited user information. According to Best, the compromised data includes email addresses, phone numbers, and certain internal metadata associated with user accounts.
Importantly, the company has confirmed that more critical financial and authentication data remains secure. Passwords, credit card numbers, and other financial information were not exposed in this incident, providing some relief to concerned users. Substack has emphasized that there is currently no evidence suggesting the stolen information is being actively misused.
Company Response and Investigation
Substack identified evidence of the security vulnerability on February 3rd, 2026, prompting immediate action. The platform has since implemented fixes to address the security flaw and is conducting a comprehensive investigation into the breach. "We have bolstered our systems to prevent this type of issue from happening in the future," Best stated in the user notification.
The company has not disclosed specific technical details about the nature of the security issue or the exact number of users impacted. Initial reports indicate that notification emails have not reached all Substack users, including several journalists from The Verge who use the platform regularly. Substack has been contacted for further clarification regarding the scope of the breach.
User Precautions and CEO Apology
In light of the breach, Substack is advising users to exercise increased caution with any suspicious emails or text messages they receive. While the exposed data doesn't include passwords, it could potentially be used for phishing attempts or other social engineering attacks.
Chris Best expressed regret over the incident in his communication to users: "I'm incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here." The apology underscores the platform's acknowledgment of its security shortcomings while reaffirming its commitment to user privacy protection.
This incident highlights ongoing cybersecurity challenges facing digital platforms that handle substantial user data. Substack's breach notification comes nearly four months after the actual unauthorized access occurred, raising questions about detection timelines and transparency in security incident reporting.
