Substack Confirms Data Breach Exposing User Email Addresses and Phone Numbers

Author:

 What Happened

Substack, the popular newsletter and publishing platform used by millions of writers and readers, has confirmed that it suffered a data breach. The company disclosed that:

  • An unauthorized third party accessed parts of its systems in October 2025.
  • The breach was only discovered in early February 2026 when Substack identified evidence of the security incident.
  • The company then emailed users about the incident to notify them. (TechCrunch)

Substack’s CEO Chris Best personally apologised to users in the notification, saying the company is conducting a full investigation and has patched the vulnerability that allowed the access. (Yahoo News UK)

 What Data Was Exposed

According to Substack’s official communication and independent reports:

Compromised:

  • User email addresses
  • Phone numbers
  • Internal metadata associated with accounts — details not fully explained but likely linked to user profiles and platform activity (TechRadar)

Not compromised:

  • Passwords
  • Credit card numbers or other financial details.
    Substack states there’s no evidence that this more sensitive data was accessed. (TechRadar)

Security researchers also report that a database of potentially about 700,000 user records allegedly appeared on a hacking forum, though Substack has not confirmed the exact number of accounts affected. (CSO Online)

 Timeline & Detection

  • October 2025: The breach originally occurred.
  • February 3, 2026: Substack identified evidence of the issue.
  • Early February 2026: Affected users received notification emails. (Yahoo News UK)

Security experts have pointed out the long detection gap — several months between the attack and discovery — which can be concerning because it gives attackers a longer window to exploit stolen data. (Cybernews)

 Risks for Users

Even though financial and credential data were not accessed:

Phishing & Scam Attempts

With email addresses and phone numbers in hand, attackers could:

  • Send targeted phishing emails or SMS pretending to be Substack or other trusted services
  • Attempt SIM‑swap attacks or social engineering to access other accounts tied to those contacts
    Security experts recommend users be vigilant about unexpected messages. (IT Pro)

Personal Contact Information Exposure

Contact details like email addresses and phone numbers are still valuable to cybercriminals, especially when paired with other publicly known information. (Forbes)

 What Substack Is Doing

The company says it has:

  • Patched the vulnerability that led to the breach
  • Launched a full investigation
  • Promised to improve systems and processes to help prevent future incidents
  • Sent direct notification emails to affected users with guidance on caution and security best practices (Yahoo News UK)

Substack has not yet publicly disclosed:

  • The exact number of affected accounts
  • The precise technical flaw that was exploited

 Expert Commentary & Broader Context

 Detection Delay Is a Concern

Security professionals note that the delay between when the breach occurred and when it was found — several months — raises questions about monitoring and incident detection capabilities. (Cybernews)

 Even “Limited” Data Is Valuable

While email addresses and phone numbers may seem less sensitive than passwords or credit card numbers, they still pose risk for targeted scams and identity attacks. Experts warn users not to ignore suspicious communication. (Cybernews)

 Creator Platforms Are Attractive Targets

Services like Substack host large volumes of engaged, professional users — making them appealing to attackers. As more business and revenue activity moves online, data protection becomes increasingly critical for digital publishers. (CSO Online)

 What Users Should Do Next

If you have a Substack account:

Be cautious of unsolicited emails and texts asking for login info or offering help.
Do not click links or provide information unless you’re certain the message is legitimate.
Change passwords on other services if you reused the same email on sensitive accounts.
Consider enabling two‑factor authentication (2FA) on other accounts where possible.

 Bottom Line

Substack has acknowledged a serious data breach that exposed email addresses, phone numbers, and internal metadata. While it says no financial information or login credentials were taken, the exposure of contact data still poses a security risk, especially for phishing and scam attempts. The incident highlights the importance of vigilanc

Substack Confirms Data Breach Exposing User Email Addresses and Phone Numbers — Case Studies & Expert Commentary

In early February 2026, Substack — the newsletter and publishing platform — confirmed a data breach that exposed users’ email addresses, phone numbers, and some internal metadata. Passwords and financial data were not exposed, but the leak still has serious implications for users and email security.

Below are illustrative case studies showing how this kind of breach can play out for individuals and organisations, followed by strategic commentary on the broader impact.

 Case Study 1 — Phishing Targeting Creators

Scenario:
A Substack creator with tens of thousands of subscribers routinely receives many legitimate newsletters and reader emails. Shortly after the breach notification, they begin seeing targeted emails that appear to reference the exact topics they write about, even though they haven’t interacted with those senders before.

What Happened:

  • Attackers used exposed email addresses to craft believable messages.
  • Emails referenced real‑sounding details to gain trust.
  • Some pretended to be from Substack support asking for “verification.”

Risks Illustrated:

  • Sophisticated phishing attempts can look very convincing.
  • Creators with public profiles are especially attractive targets.

Takeaway:
Users should be cautious with messages referencing platform names, services, or account details. Legitimate providers never ask for passwords or sensitive information by email.

 Case Study 2 — SMS Scams After Phone Data Exposure

Scenario:
A reader who subscribes to multiple Substack writers receives text messages claiming to be from “Substack” about “security alerts” or “recovery codes.”

What Happened:

  • Exposed phone numbers were leveraged to send SMS phishing (smishing).
  • Messages tried to lure users to fake login pages.

Risks Illustrated:

  • Compromised phone numbers increase the risk of SIM‑swap attacks and account recovery scams on other platforms.

Takeaway:
Users should never follow links in unexpected SMS messages and should enable multi‑factor authentication (2FA) on accounts that support it.

 Case Study 3 — Credential Reuse Exploited Elsewhere

Scenario:
A user reused the same email address (from Substack) and password on another service. After the breach, attackers attempted logins on several unrelated accounts.

What Happened:

  • The breach didn’t include passwords, but shared email addresses can be used in credential‑stuffing attacks where attackers try common passwords repeatedly against multiple services.

Risks Illustrated:

  • Even when passwords weren’t leaked, credential reuse magnifies risk.

Takeaway:
Always use unique passwords for each site and a password manager to reduce reuse.

 Strategic Commentary

 1. Contact Data Is Valuable — Even Without Passwords

While financial details and passwords weren’t exposed according to Substack, email addresses and phone numbers alone are still highly valuable to malicious actors.

  • Email addresses can be used for targeted phishing, impersonation attacks, and spam.
  • Phone numbers enable SMS scams and social‑engineering attacks against other services that rely on phone‑based recovery.

Comment:
Breaches of contact data often fuel the next wave of attacks — not immediately, but over time as attackers refine their targeting.

 2. Detection Delays Raise Security Questions

The breach occurred in October 2025 but was only discovered in early 2026 — a gap of months.

Expert view:
Long detection windows often indicate that the attacker had time to explore the system quietly. Organisations need better monitoring, logging, and incident detection to minimise this window.

Comment:
Users shouldn’t assume that just because a company says sensitive data wasn’t accessed, that the breach is “minor.” Early notification and transparency are crucial.

 3. Phishing and Social Engineering Risk Is High After Exposure

Security professionals warn that the breach will lead to spikes in phishing and smishing attempts.

  • Attackers use exposed contact information to craft believable messages.
  • These can reference Substack, familiar newsletters, or community interests.

Comment:
Users should treat any unexpected communication with healthy scepticism and verify through official channels before acting.

 4. Shared Data Across Platforms Increases Exposure

Many users reuse their email on other accounts and platforms. Exposed contact data can therefore serve as a building block for more advanced attacks.

Comment:
Good digital hygiene — including unique passwords, 2FA, and being cautious about phishing — matters even if a breach doesn’t directly leak financial or login data.

 5. Platforms with Large Active Communities Are Attractive Targets

Platforms like Substack, which host millions of newsletters and engaged audiences, are attractive to attackers because:

  • They collect large volumes of user contact data
  • They power direct communication channels
  • Community trust increases credibility of phishing lures

Comment:
This breach reinforces the need for industry‑wide best practices in platform security and transparency when incidents occur.

 What Users Should Do Now

For Individuals
Be vigilant for unexpected emails or texts.
Avoid clicking suspicious links or sharing sensitive information.
Enable 2FA wherever possible.
Use unique passwords and consider a password manager.

For Creators and Organisations
Educate your audience about phishing and scam tactics. Audit your own workflows for password reuse or SMS‑based recovery risks.
Update contact management practices to segment and protect sensitive lists.

 Final Thought

While the Substack breach did not expose passwords or financial data, the loss of email addresses and phone numbers still carries real security risks. Bad actors often use exposed contact data as a launching point for phishing, impersonation, and broader attacks.

The situation highlights that data breaches are rarely benign — and even “limited” exposures require vigilance, robust security habits, and proactive communication with users.

 

Categories: Digital Marketing, News