Hacker hands on keyboard showing data breach

Substack Data Breach Leaks Nearly 700,000 User Records

A data breach at Substack has exposedf nearly 700,000 personal records after an unauthorized third party gained access by exploiting a security flaw.

The attack occurred in October 2025 but was detected on February 3, 2026, giving the attacker sufficient time to access data.

Substack confirms data breach

Substack contacted impacted users and informed them that a data breach had leaked their personal information. It explosed users’ email addresses, phone numbers, and internal metadata, but did not leak account passwords or financial information such as credit card numbers or bank account details.

“I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission,” Substack CEO Chris Best wrote in an email. “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”

Attackers could use this information to target impacted individuals in phishing attacks. Subsequently, Substack has advised impacted users to be on the lookout for unsolicited email and text messages.

Users should also change their passwords and monitor their accounts for suspicious activity. They should also consider enabling multifactor authentication (MFA) to avoid becoming victims of another data breach in the future.

“The data collected by the attackers may not be the highest level of sensitivity, but threat actors commonly use information like email address or phone numbers to carry out extensive social engineering campaigns that can compromise victims further or pressure them into paying ransoms against their wills. Prominent cybercrime organizations like Scattered Spider or ShinyHunters have used these tactics to launch the most notorious phishing campaigns over the last year,” said Ross Filipek, CISO at Corsica Technologies.

Meanwhile, Substack states that the security vulnerability has been fixed and has launched an investigation, which could uncover the full scope of the data breach.

However, the publishing platform has not disclosed the attack vector that the threat actor exploited. Nevertheless, the threat actor claims to have obtained the data through scraping, underscoring the risk posed by unsecured API endpoints.

“We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future,” the company added.

So far, Substack says there is no indication that the threat actor has misused the stolen information.

“We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails you receive that may be suspicious,” the company advised.

Nevertheless, the delayed notification could undermine the platform’s reputation and have legal ramifications.

“Substack’s breach illustrates how third party exposures can quietly escalate into large scale events,” said Jeremy Turner, VP of Threat Intelligence and Research at Security Scorecard. “Although the incident occurred in October 2025, Substack only identified the problem this week, meaning an unauthorized party had access to user data for roughly four months before detection. That extended dwell time signals gaps in monitoring and vendor related oversight, especially given that the threat actor was able to access 697,313 records before being noticed.”

Hacker leaks Substack user data

The threat actor has listed 697,313 records for sale on the notorious hacking platform Breachforums. The leaked data contains the victims’ names, email addresses, phone numbers, user IDs, profile pictures, and bios. While the information is hardly sensitive, attackers could use it to craft compelling phishing messages targeting affected users.

So far, the number of users affected by the data breach remains unknown, and no word on whether the threat actor demanded a ransom.

Substack has an active user base of approximately 50 million, including 5 million paying subscribers, of which only a subset was affected, according to the company. The platform’s large user base makes it an attractive target for cybercriminals. Paying customers are particularly valuable for cybercriminals.

In 2020, the podcasting platform experienced another data breach that leaked users’ email addresses.