Substack Confirms Data Breach Affecting User Emails and Phone Numbers in October 2025 Incident

In a significant security revelation, Substack has notified a subset of its users that their personal information was compromised during a data breach that occurred last year. The popular newsletter platform, known for hosting independent writers and journalists, disclosed that unauthorized access to internal systems exposed email addresses, phone numbers, and other metadata associated with affected accounts.

The breach, which Substack now says occurred in October 2025, was only recently discovered and reported to users on February 3rd, 2026. In an official communication from Substack CEO Chris Best, the company acknowledged that a hacker had gained unauthorized access to limited user data without permission. The platform emphasized that while email addresses and phone numbers were exposed, more sensitive information such as passwords, credit card numbers, and other financial data remained secure.

“We identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission,” Best stated in the email to account holders. “This included email addresses, phone numbers, and other internal metadata.” The CEO added that while there is currently no evidence of misuse of the exposed information, users should exercise heightened vigilance regarding suspicious emails or text messages they may receive.

Substack has since addressed the security vulnerability and is conducting a comprehensive investigation into the incident. The company is also implementing enhanced security measures to prevent similar breaches in the future. However, the platform has not disclosed specific details about the nature of the security flaw or the exact number of users affected by the breach.

Interestingly, the notification appears to have been sent to only a portion of Substack’s user base. Several staff members at The Verge, including those who use the platform, did not receive the breach notification email. This selective notification raises questions about the scope of the breach and the criteria used to determine which users were impacted.

The timing of the breach discovery—nearly four months after the incident occurred—has drawn scrutiny from cybersecurity experts. The delay between the October 2025 breach and the February 2026 notification has prompted concerns about Substack’s security monitoring capabilities and incident response protocols.

In his communication to users, Best expressed deep regret over the security lapse: “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.” This apology reflects the gravity of the situation for a platform that positions itself as a trusted home for content creators and their audiences.

The breach has implications beyond immediate privacy concerns. For Substack’s creator community, which relies on the platform to build direct relationships with their subscribers, the exposure of contact information could potentially compromise the trust between writers and their audiences. Some creators may need to reassess their communication strategies and implement additional verification measures when interacting with their subscriber base.

Substack’s handling of the breach notification also highlights the challenges that growing tech platforms face in maintaining robust security infrastructure while scaling their services. The incident serves as a reminder that even platforms with significant resources and technical expertise can fall victim to sophisticated cyberattacks.

As the investigation continues, affected users are advised to remain vigilant about potential phishing attempts or other suspicious communications that may exploit the exposed information. Cybersecurity experts recommend enabling two-factor authentication on all accounts, using unique passwords for different services, and being cautious about unsolicited communications requesting personal information.

The Substack breach joins a growing list of high-profile data security incidents that have affected major technology platforms in recent years, underscoring the ongoing challenges in protecting user data in an increasingly connected digital ecosystem.

Tags and Viral Phrases:

data breach, Substack security incident, email addresses exposed, phone numbers compromised, cybersecurity attack, unauthorized access, Chris Best apology, newsletter platform breach, user data protection, digital privacy concerns, October 2025 breach, February 2026 notification, metadata exposure, phishing risk, two-factor authentication, creator platform security, tech platform vulnerability, data protection failure, online privacy breach, cybersecurity incident response, digital trust compromised, information security lapse, platform security measures, user notification delay, metadata breach, content creator security, digital communication safety, online platform vulnerability, data breach investigation, cybersecurity best practices, digital ecosystem security, privacy protection failure, tech company apology, user data exposure, cybersecurity incident, digital platform breach, information security incident, online privacy violation, data protection responsibility, cybersecurity vulnerability, platform security failure, user trust breach, digital security incident, privacy breach notification, cybersecurity awareness, online platform security, data breach impact, digital communication security, platform security upgrade, cybersecurity investigation, user data compromise, online privacy concerns

,