Substack Confirms Data Breach Exposing User Emails and Phone Numbers

United States - Ekhbary News Agency

Substack Confirms Data Breach Exposing User Emails and Phone Numbers

Newsletter platform Substack has officially confirmed a significant data breach that allowed unauthorized access to sensitive user information, including email addresses and phone numbers. The incident, which reportedly occurred in October, was only identified by the company in February, leading to a delayed notification to its user base. Substack CEO Chris Best issued an apology, acknowledging the platform's failure to adequately protect user data.

In an email communication to its users, Substack detailed that an "unauthorized third party" managed to access specific user data. This compromised information includes email addresses, phone numbers, and other unspecified "internal metadata." Crucially, the company emphasized that more sensitive data, such as credit card numbers, passwords, and financial details, were not affected by the breach. This distinction aims to reassure users about the security of their financial transactions and account credentials.

The timeline of the breach and its discovery raises questions about Substack's internal security protocols and response mechanisms. CEO Chris Best stated that the company identified the vulnerability in February, which then allowed an external party to access its systems. Following the identification of the issue, Substack claims to have rectified the problem and initiated a thorough investigation into the breach. "I'm reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission," Best communicated to users. He further expressed regret, stating, "I'm incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here."

Despite the confirmation of the breach, many details remain unclear. The exact nature of the system vulnerability that facilitated the access has not been disclosed. Furthermore, the full scope of the "internal metadata" accessed remains unspecified, leaving users uncertain about the extent of the exposure. The five-month gap between the breach occurring in October and its detection in February has also drawn scrutiny. Questions linger regarding the reasons for this delay and whether the company was prompted to investigate by external factors, such as demands from hackers. TechCrunch has reached out to Substack for further clarification and will update its reporting as more information becomes available.

Substack has not disclosed the total number of users affected by the breach. While the company asserts that it has found no evidence of the compromised data being misused, it has remained vague about the technical measures, such as system logs, it employs to detect such misuse. In the absence of concrete assurances, Substack has advised its users to exercise caution regarding unsolicited emails and text messages, though it provided no specific indicators or directions for identifying suspicious communications.

The breach occurs at a time when Substack is experiencing significant growth. The platform boasts over 50 million active subscriptions, with 5 million of those being paid subscriptions, a milestone achieved in March. The company also secured substantial funding, raising $100 million in Series C funding in July 2025, with notable investors including BOND, The Chernin Group (TCG), a16z, and prominent figures from the sports and fashion industries. This growth trajectory underscores the increasing importance of data security for platforms handling vast amounts of user information.

This incident highlights a broader trend of increasing cyber threats targeting technology platforms and user data. The compromise of email addresses and phone numbers, even without the exposure of more sensitive financial details, can open the door to sophisticated phishing attacks, social engineering schemes, and other forms of cybercrime. Users are often advised to enable two-factor authentication wherever possible, use strong, unique passwords, and remain vigilant about communications that appear suspicious. The lack of transparency regarding the breach's specifics and the delay in detection will likely fuel further concern among Substack's user base and the wider tech community.

The investigation into the breach is ongoing, and Substack has committed to providing updates as they become available. The platform's response and the effectiveness of its future security enhancements will be closely watched by users and industry experts alike, particularly given the platform's significant role in the digital publishing landscape.

Ekhbary News Agency