A preferred dwelling for impartial writers is coping with a safety scare.
Substack has confirmed that hackers accessed person knowledge, exposing e-mail addresses, telephone numbers, and inner account particulars in an incident that went undetected for months.
The subscription-based e-newsletter platform, which claims to have round 50 million lively subscribers, together with 5 million paid subscriptions, disclosed the breach in emails despatched to affected customers this month.
In a discover to customers, Substack CEO Chris Greatest acknowledged the incident and apologized.
“On February third, we recognized proof of an issue with our methods that allowed an unauthorized third get together to entry restricted person knowledge with out permission, together with e-mail addresses, telephone numbers, and different inner metadata,” Greatest wrote within the breach notification e-mail.
He added: “This knowledge was accessed in October 2025. Importantly, bank card numbers, passwords, and monetary info weren’t accessed.”
The four-month hole has consultants involved
Maybe essentially the most troubling element to emerge is the timeline. The unauthorized entry occurred in October 2025. Substack found it on Feb. 3, 2026. That’s roughly 100 days of potential publicity that the corporate was fully unaware of.
Substack has not defined why it took so lengthy to note the breach or how the attackers initially gained entry. Greatest, nonetheless, stated the corporate has already “fastened the issue with our system that allowed this to occur.” A full investigation is underway, and Substack claims it’s implementing adjustments to forestall a repeat efficiency.
“We don’t have proof that this info is being misused,” Greatest wrote, “however we encourage you to take additional warning with any emails or textual content messages you obtain that could be suspicious.”
Almost 700,000 information leaked on-line
Whereas Substack has not disclosed the variety of customers affected, cybersecurity outlet BleepingComputer reported {that a} menace actor posted a database containing 697,313 information on the hacking discussion board BreachForums.
In accordance with that report, the attacker claimed the info was scraped and stated the “scraping technique used was noisy and patched quick.” Substack has not publicly confirmed the precise variety of impacted customers.
Longtime customers may really feel a way of déjà vu. Again in July 2020, Substack unintentionally uncovered some customers’ e-mail addresses by together with them within the ‘to’ line of a privateness coverage replace e-mail as an alternative of the ‘bcc’ subject. That was an embarrassing mistake, however a far cry from a focused breach by an unauthorized third get together.
Additionally learn: A latest marketing campaign exhibits how phishing emails can look legitimately “trusted,” even after they’re designed to steal knowledge.
