Substack has notified users of a data breach in which email addresses, phone numbers and internal account metadata were exposed to an unauthorized third party. According to the company, the intrusion occurred in October 2025 but was only detected in early February, leaving a multi‑month window during which the data could have been misused.
Scope of the Substack data breach and official statements
In a notification sent to affected customers, Substack CEO Chris Best stated that an attacker accessed a “limited set of user data”. The company stresses that passwords, payment card information and other financial data were not part of the breach and that it has not seen evidence of direct credential compromise so far.
However, a post on the well‑known hacking forum BreachForums claims responsibility for the incident and advertises a data set containing 697,313 records allegedly linked to Substack. The forum post attributes the leak to automated scraping of Substack systems and notes that the method was “noisy”, implying a high volume of repetitive requests until Substack closed the loophole.
What user data was reportedly exposed
Based on Substack’s disclosure and the BreachForums listing, the compromised information includes:
— Email addresses associated with Substack accounts and newsletter subscriptions;
— Phone numbers linked to user profiles or used for account recovery;
— Service metadata, such as account creation timestamps, subscription settings and technical details of how users interact with the platform.
While passwords were not leaked in plain text, the combination of email address, phone number and behavioral metadata is highly valuable for cybercriminals. It enables detailed profiling of individuals, making subsequent phishing and social‑engineering attacks significantly more convincing.
Scraping, API weaknesses and how the Substack attack likely worked
Substack has not disclosed the precise technical root cause of the breach, stating only that the underlying vulnerability has been remediated and that additional security reviews are in progress.
The BreachForums post points to scraping as the main technique. Scraping is the automated collection of data from websites or APIs. When limited to publicly visible information, it is often a gray‑area but expected risk for online services. The situation changes completely if a flaw in an API’s business logic, authentication, or access‑control model allows an attacker to retrieve non‑public data at scale.
The attacker’s reference to a “noisy” method suggests a large number of similar requests in a short timeframe. Mature platforms typically detect such patterns via rate limiting, anomaly detection and comprehensive request logging. This incident underlines why SaaS providers must invest not only in classic perimeter defenses, but also in behavioral analytics and continuous API security testing.
Security risks for Substack users: phishing, smishing and targeted fraud
Even without exposed passwords, the leaked Substack dataset can be weaponized in several ways that directly impact users’ security and privacy.
— Phishing emails: Attackers can send highly tailored messages that appear to come from Substack or from specific newsletter authors, urging recipients to “verify” accounts, re‑enter passwords or update billing details on malicious clones of the Substack site.
— Smishing and messaging‑app fraud: With valid phone numbers, criminals can launch SMS‑based phishing (smishing) and messages via popular messengers, attempting to steal one‑time codes, card data or push users to install malware.
— Advanced social engineering: Metadata about account age, subscription behavior or interaction patterns helps attackers sound credible: they can reference specific newsletters or approximate how long a person has used the service, lowering victims’ suspicion.
Industry reports such as the Verizon Data Breach Investigations Report and analyses from ENISA consistently identify phishing and user error as leading initial access vectors. Incidents that expose contact details, even without credentials, therefore significantly increase the likelihood of successful follow‑on attacks.
Previous Substack security incident and broader lessons
This is not the first time Substack’s handling of user data has raised concerns. In July 2020, the company sent a privacy‑policy update in which some recipients’ email addresses were placed in the “To” field instead of “BCC”, inadvertently revealing subscribers’ contact details to one another.
While the 2020 incident was caused by human error and the current case appears linked to a technical vulnerability, together they highlight recurring challenges for platforms that manage large volumes of personal data. Effective protection requires a combination of secure software development, robust access control, privacy‑by‑design practices and strong operational discipline around communications and incident response.
Practical cybersecurity recommendations for Substack users
Users of Substack and similar newsletter or publishing platforms should adopt several defensive measures, even if their passwords were not directly exposed:
— Treat all unexpected emails and SMS messages claiming to be from Substack, banks or major services with caution, especially if they request credentials or payment details.
— Avoid clicking links in unsolicited messages. Instead, manually type the service’s address into the browser or use a trusted bookmark to access the account.
— Enable two‑factor authentication (2FA) wherever possible and use unique, complex passwords managed by a reputable password manager to limit the impact of any single compromise.
— Monitor email accounts and phone numbers for unusual activity, such as password‑reset notifications you did not request, unfamiliar logins or messages sent from your address without your knowledge.
The Substack data breach demonstrates that contact information and seemingly innocuous metadata can become powerful tools in the hands of attackers. In an environment where phishing campaigns grow more sophisticated each year, both users and service providers benefit from a proactive security mindset: regularly review security settings, stay informed about evolving attack techniques and be wary of any unsolicited request that touches personal or financial data.
