In an email to users, newsletter platform Substack admitted a data breach. According to the corporation, user data, including phone numbers, email addresses, and other unidentified “internal metadata”, was obtained by an “unauthorised third party” in October, meaning that they were compromised.
More private information, such as passwords, credit card details, and other financial data, remained unaffected, according to Substack.
Chris Best, chief executive of Substack, stated in an email to subscribers that the company discovered the problem that gave someone access to its systems in February. According to Best, the business has resolved the issue and initiated an inquiry.
In the email to users, Best stated, “I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission.” “I really apologise for this incident. We took our obligation to safeguard your information and privacy seriously, but we failed in this instance.
The nature of the problem with its systems and the extent of the data that was accessed are unclear. It’s also unclear whether hackers contacted the organisation and demanded a ransom or why it took five months to discover the intrusion. The members of the press requested additional information from the company; if there is feedback, an update report will be published
The number of impacted users was not disclosed by Substack. The corporation stated that it has no proof that user data is being misused, but it did not specify what technical tools, such as logs, it uses to find such evidence. The business did, however, advise customers to exercise caution when responding to emails and texts that lack specific instructions or warnings.
Substack claims to have more than 50 million active memberships on its website, including 5 million premium subscriptions, a milestone it achieved in March of last year. The business raised $100 million in Series C funding in July 2025, led by BOND and The Chernin Group (TCG), with involvement from a16z, Rich Paul, CEO of Klutch Sports Group, and Jens Grede, co-founder of Skims.
An investigation is in progress, and the vulnerability has been fixed. According to Substack, there is currently no proof that the stolen data is being used improperly.
Chris Best, CEO of Substack, attested to the fact that financial data, credit card details, and passwords were not obtained. And this has been classified as safe data.
The actions users should take
Be on the lookout for alerts: Substack is directly emailing affected account holders. Although many of the alerted users are supposedly writers for the platform, you might not be affected if you haven’t received an email.
Users need to be alert/vigilant: Users are advised to be wary of phishing attempts, including dubious emails or texts that might make use of the compromised contact details.
Users need to review security: Enabling two-factor authentication (2FA) on important accounts is always a smart idea, even though passwords were not stolen.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
