{"id":6863,"date":"2026-02-05T21:13:42","date_gmt":"2026-02-05T21:13:42","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6863"},"modified":"2026-02-05T21:13:42","modified_gmt":"2026-02-05T21:13:42","slug":"substack-data-breach-leaks-users-email-addresses-and-phone-numbers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6863","title":{"rendered":"Substack data breach leaks users\u2019 email addresses and phone numbers"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Substack, a high-profile publishing platform widely used by academics, journalists, subject matter experts, and controversialists, has suffered a data breach affecting an unknown number of its creators and subscribers.<\/p>\n<p>According to emails sent out this week to some users, on February 3 the company \u201cidentified evidence\u201d that a third party had exploited an unspecified weakness in the company\u2019s systems to gain access to user email addresses, phone numbers and, more vaguely, \u201cother internal metadata.\u201d<\/p>\n<p>The breach happened in October 2025, which means that data, which the company said did not include credit card numbers, passwords, or financial information, has been exposed for up to four months.<\/p>\n<p>\u201cWe have fixed the problem with our system that allowed this to happen. We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future,\u201d <a href=\"https:\/\/lorichristian.substack.com\/p\/notice-of-data-breach\" target=\"_blank\" rel=\"noopener\">said the email<\/a> from Substack CEO Chris Best.<\/p>\n<p>\u201cWe do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails you receive that may be suspicious.\u201d<\/p>\n<h2 class=\"wp-block-heading\">No passwords to lose<\/h2>\n<p>At the time of publication, Substack had not yet made a web announcement about the breach, limiting itself to sending emails to users. This implies that the breach only affects a subset of its estimated 35 million active users.<\/p>\n<p>Indeed, the language of the email alert downplays the incident, describing the exposed data as merely being \u201cshared without your permission.\u201d<\/p>\n<p>However, the fact that the breach was only discovered this week, after a four-month delay, raises the possibility that its scope could yet grow as Substack conducts deeper forensics. A <a href=\"https:\/\/dailydarkweb.net\/substack-data-breach-leads-to-leak-of-nearly-700000-records\/\" target=\"_blank\" rel=\"noopener\">dark web source claimed<\/a> the breach compromised 697,313 records, although this remains unconfirmed. It also reported that IDs from payment system Stripe, used by creators to receive payment from their subscribers, were compromised.<\/p>\n<p>Based on the wording of the email alert sent by the company, the breach only affects users who have Substack accounts; anyone who subscribes to a Substack creator\u2019s newsletter directly using an email address shouldn\u2019t be affected.<\/p>\n<p>The full extent of what was exposed is less clear. In addition to email addresses and phone numbers, the company mentioned \u201cmetadata,\u201d a catch-all term. In its <a href=\"https:\/\/substack.com\/privacy#:~:text=What%20Information%20does%20Substack%20collect\" target=\"_blank\" rel=\"noopener\">privacy policy<\/a>, Substack describes a wide range of data this might include, depending on how the site is used, including user IDs, profile pictures, biographies, and IP addresses.<\/p>\n<p>How should Substack users react? Normally, the advice after any data breach is to change the account password. However, Substack\u2019s default access method is <a href=\"https:\/\/faq.substack.com\/p\/logging-in-to-substack\" target=\"_blank\" rel=\"noopener\">via email address<\/a>, with authentication confirmed by sending a \u201cmagic link\u201d to the user\u2019s email address. This removes the problem of password compromise and phishing attacks by not having a password to phish. If optional multi-factor authentication is turned on, the user must additionally enter a onetime code from an app.<\/p>\n<p>Passwords are still possible \u2014 users who signed up before 2023 might have one \u2014 but in 2026, the user must actively choose to create one. The company doesn\u2019t mention whether this subset of users should consider changing their passwords as a precaution, but did offer the following statement:<\/p>\n<p>\u201cWe cannot share specifics about our security systems and processes, but we can confirm that the issue has been resolved and safeguards have been put in place to help prevent this issue from happening again.\u201d<\/p>\n<p>Substack\u2019s only other known security incident happened in 2020 when it <a href=\"https:\/\/en.wikipedia.org\/wiki\/Substack#:~:text=On%20July%2028%2C%202020%2C\" target=\"_blank\" rel=\"noopener\">accidentally exposed<\/a> user email addresses by adding them to the \u201ccc\u201d (carbon copy) field instead of the \u201cbcc\u201d (blind carbon copy) of an email when sending out a policy update.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Substack, a high-profile publishing platform widely used by academics, journalists, subject matter experts, and controversialists, has suffered a data breach affecting an unknown number of its creators and subscribers. According to emails sent out this week to some users, on February 3 the company \u201cidentified evidence\u201d that a third party had exploited an unspecified weakness [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6864,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6863","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6863"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6863"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6863\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6864"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}