Media platform Substack has disclosed a data breach that exposed email addresses, phone numbers, and internal metadata of an unknown number of users. Credit card numbers, passwords, and financial information were not accessed.
In an email, Substack CEO Chris Best informed affected users that on 3 February, the company found evidence pointing to a third party having exploited an unspecified weakness in its systems.
The breach happened in October 2025, meaning user data remained exposed for about four months before discovery.
Best added that the company is conducting a thorough investigation, and is “taking steps to improve our systems and processes to prevent this type of issue from happening in the future.”
Light on the Details
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, said: “Transparent breach notifications should always be commended. However, it is a bit light on the details, which can help people accurately judge the risk and take concrete action.
He says the phrase ‘limited user data’ is particularly vague. “Email addresses and phone numbers are enough for targeted phishing, SIM-swap attempts, or doxxing. Even if passwords weren’t accessed, attackers don’t need passwords if they can socially engineer users. Additionally, the phrase ‘internal metadata’ is vague. Metadata can range from harmless IDs to information that enables correlation and targeting.”
Malik added, “If the data was accessed in October 2025, but only just disclosed, it’s a significant dwell time. That isn’t to say there’s negligence on the part of Substack because detection can be difficult. But impacted users deserve a clearer explanation of how the breach was identified and which monitoring controls failed to detect it initially, and most importantly, what’s changing as a result.”
Rather Generic Advice
The advice given is rather generic, too, Malik said: “Be cautious of suspicious emails/texts’ is true but not particularly helpful. It would have been better to give examples of likely uses (account verification, payout updates, ‘your newsletter was reported’, etc.) along with advice on enabling strong MFA where possible and on what Substack will never ask for over email/SMS.
“Overall, it’s good to see more organizations trying to reach the bar of being transparent and useful. The most effective breach notifications reduce harm by being specific as to what happened, when, who was affected, and what users can do today beyond generic vigilance.”
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, added that while we don’t know exactly how many Substack content creators or users were affected by the breach, it appears that only superficial contact information was harvested. “That said, the email addresses and phone numbers gleaned by the responsible bad actors could be used by said bad guys to launch phishing attacks via text or email.”
He adds that users and content creators affected by the breach should practice extra care when dealing with unexpected messages, emails, or calls. “Never provide any information in these cases, and never click links in unrequested emails or texts. Actually, this is good advice for any online user, not just those with data exposed in the breach.”
Beware Targeted Phishing Emails
Paul Bischoff, Consumer Privacy Advocate at Comparitech, advised Substack users to be on the lookout for targeted phishing emails and scams. “Scammers could use the info from this breach to target specific users and make their scams more convincing. Never click on links or attachments in unsolicited emails.”
Jamie Akhtar, CEO of CyberSmart, added that breaches like this can feel distant to many SMEs because they involve a large, well-known platform like Substack. “However, incidents like this are a useful reminder that size or technical maturity does not equal immunity.
A Concerning Delay
“One of the more concerning aspects of this incident is the delay between the initial breach and its discovery. Detection gaps create a longer window for attackers to exploit stolen data, often before victims are even aware there is a problem. For SMEs, early detection and visibility are critical because attackers rarely stop at one system or one platform.”
Akhtar says this incident also highlights the importance of good cyber hygiene beyond your own organization. “Many attacks begin with trusted third parties. SMEs should be cautious about unsolicited contact, even when it appears to come from familiar platforms or services, and ensure staff are trained to recognise follow-up scams that often appear after a public breach.
“Preparation remains key. Enforcing strong access controls, using multi-factor authentication, keeping systems up to date, and maintaining clear incident response plans can significantly reduce the impact of breaches. Cyber incidents are not always preventable, but how quickly they are detected and contained often determines the real damage.”
Substack advised its users to take extra caution with any suspicious emails or text messages they receive. It said the glitch that enabled the incident has subsequently been fixed.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.