What Happened
In October 2025, Substack suffered a data breach that exposed approximately 663,000 user records containing email addresses, phone numbers, and internal account metadata such as user IDs, profile information, and notification preferences, but passwords, credit card numbers, and financial information were not compromised. The unauthorized access went undetected for four months until Substack identified suspicious activity on February 3, 2026, and subsequently notified affected users. CEO Chris Best apologized for the incident and stated that the company had fixed the vulnerability and launched a full investigation, though the company has not provided detailed explanations for the lengthy detection delay or confirmed evidence of data misuse. Security researchers noted that threat actors claimed to have scraped between 662,000 and 697,000 records, which were circulated on dark web forums and cybercrime channels, increasing risks of phishing and social engineering attacks against affected users.
