Substack Admits Data Breach Exposed User Emails and Phone Numbers After Five-Month Delay

Substack, the popular newsletter platform used by millions of writers and readers, has confirmed a significant data breach that exposed sensitive user information, including email addresses and phone numbers. The breach, which the company says occurred in October, was only detected and disclosed to users in February—raising serious questions about the platform’s security practices and transparency.

In an email sent to affected users, Substack CEO Chris Best acknowledged that an “unauthorized third party” gained access to user data through a vulnerability in the company’s systems. The breach exposed email addresses, phone numbers, and unspecified “internal metadata,” though the company claims more sensitive information like credit card numbers, passwords, and financial data remained secure.

“I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission,” Best wrote in the notification email. “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”

The timing of this disclosure has raised eyebrows across the tech community. Substack identified the security vulnerability in February—five months after the initial breach occurred in October. This extended delay between the breach and its detection has prompted concerns about the company’s monitoring capabilities and incident response protocols.

What makes this particularly troubling is that Substack has not provided specific details about what caused the breach, how the unauthorized access occurred, or the full scope of data that was compromised. The company has also not disclosed how many of its users were affected, despite claiming to host over 50 million active subscriptions, including 5 million paid subscriptions.

The breach comes at a time when Substack has been experiencing significant growth and investment. In July 2025, the company raised $100 million in Series C funding from high-profile investors including BOND, The Chernin Group, Andreessen Horowitz, Rich Paul of Klutch Sports Group, and Skims co-founder Jens Grede. This substantial investment valued the company at over $1 billion, making this security lapse particularly concerning for both users and investors.

Substack’s response to the breach has been criticized for its lack of specificity. While the company claims it has no evidence that user data is being misused, it hasn’t explained what technical measures or logs it’s using to monitor for potential abuse. The company’s advice to users—to be cautious with emails and texts—provides little practical guidance for protecting oneself from potential phishing attacks or spam that could result from the exposed information.

The incident highlights the ongoing challenges faced by digital platforms in protecting user data. For a company that positions itself as a champion of independent writers and creators, this breach represents a significant breach of trust with its community. Writers who rely on Substack to connect with their audiences now face the uncomfortable reality that their contact information may have been compromised.

Security experts note that email addresses and phone numbers, while not the most sensitive data, can be valuable to malicious actors for phishing campaigns, spam operations, and even targeted social engineering attacks. The exposure of “internal metadata” mentioned by Substack could potentially include additional information about user behavior, subscription patterns, or other platform interactions.

The five-month gap between the breach and its detection raises serious questions about Substack’s security monitoring infrastructure. Most major platforms employ continuous monitoring systems designed to detect unusual access patterns or data exfiltration attempts in real-time or near-real-time. The fact that Substack took months to discover this breach suggests either a significant gap in their security monitoring or a sophisticated attack that evaded their detection systems for an extended period.

Users and industry observers are also questioning why Substack waited until now to disclose the breach, even after identifying it in February. While companies sometimes delay disclosure during active investigations, the extended period without communication to affected users represents a significant lapse in transparency.

This breach serves as a reminder that even platforms focused on content creation and distribution must prioritize robust security measures. As Substack continues to grow and attract more users and investment, the company will need to demonstrate stronger commitment to data protection and more transparent communication during security incidents.

For the millions of writers and readers who use Substack, this incident may prompt reconsideration of the platform’s security practices and whether their personal information is adequately protected. The company’s handling of this breach—from detection to disclosure—will likely influence user trust and could impact its continued growth in the competitive newsletter and content platform market.

Substack has stated that it has fixed the vulnerability that allowed the breach and launched an investigation, but the long-term implications for user trust and platform security remain to be seen. As more details potentially emerge, users will be watching closely to see how the company addresses these serious security shortcomings and works to rebuild confidence in its ability to protect user data.

Tags: Substack data breach, newsletter platform hacked, user data exposed, email addresses leaked, phone numbers compromised, Chris Best security incident, October breach detected in February, unauthorized third party access, Substack security vulnerability, 50 million subscriptions at risk, Series C funding security concerns, metadata breach, phishing risk, spam campaign potential, independent writers data compromised, content platform security, user privacy failure, breach disclosure delay, monitoring infrastructure questions, trust and transparency issues

Viral phrases: “five-month delay in detection,” “email addresses and phone numbers exposed,” “Substack CEO apologizes,” “unauthorized third party access,” “internal metadata compromised,” “no evidence of misuse claimed,” “$100 million funding amid security concerns,” “50 million active subscriptions at risk,” “writers and readers vulnerable,” “security breach raises trust questions,” “sophisticated attack evaded detection,” “transparency in crisis communication,” “data protection failure,” “independent creators’ information leaked,” “phishing and spam risks,” “security monitoring questioned,” “breach detection timeline criticized,” “user data protection inadequate,” “platform security under scrutiny,” “investor confidence shaken,” “digital platform security challenges,” “breach response criticized,” “user trust erosion,” “content platform security lapse,” “metadata exposure concerns,” “extended disclosure delay,” “security infrastructure gaps,” “community trust damaged,” “rapid growth vs security,” “subscription platform vulnerability,” “personal information compromise,” “cybersecurity incident response,” “data breach transparency,” “user notification failure,” “security incident investigation,” “platform accountability questioned,” “digital privacy concerns,” “online platform security,” “content creator data safety,” “breach impact assessment,” “user protection measures,” “security best practices lacking,” “platform responsibility,” “data breach consequences,” “user information security,” “online platform trust,” “cybersecurity incident management,” “data protection standards,” “user privacy rights,” “platform security measures,” “digital security awareness,” “online safety concerns,” “platform security protocols,” “user data handling,” “security incident disclosure,” “platform vulnerability assessment,” “digital trust issues,” “online platform accountability,” “user data breach,” “platform security failure,” “digital privacy protection,” “online security standards,” “user information safety,” “platform security review,” “digital trust rebuilding,” “online platform responsibility,” “user data protection,” “platform security improvement,” “digital privacy concerns,” “online safety measures,” “platform security enhancement,” “user information protection,” “digital trust maintenance,” “online platform security,” “user data security,” “platform security updates,” “digital privacy safeguards,” “online platform trust,” “user information security,” “platform security protocols,” “digital trust issues,” “online safety concerns,” “platform security measures,” “user data handling,” “security incident disclosure,” “platform vulnerability assessment,” “digital trust rebuilding,” “online platform accountability,” “user data breach,” “platform security failure,” “digital privacy protection,” “online security standards,” “user information safety,” “platform security review,” “digital trust issues,” “online platform responsibility,” “user data protection,” “platform security improvement,” “digital privacy concerns,” “online safety measures,” “platform security enhancement,” “user information protection,” “digital trust maintenance,” “online platform security,” “user data security,” “platform security updates,” “digital privacy safeguards,” “online platform trust.”

,