A Substack Data Breach May Have Compromised Nearly 700,000 User Records.
When you subscribe to Substack, you expect to receive newsletters and publications from online bloggers, not to lose the data you share with the platform. But, as with any digital service, the data you provide during registration is at the mercy of Substack or anyone who gains access to it. Unfortunately, that’s no longer the case.
Substack may have lost nearly 700,000 user records.
As reported by BleepingComputer , Substack recently reported a major data breach. The company’s CEO, Chris Best, sent out a breach notification to users this week, stating that email addresses, phone numbers, and “other internal metadata” had been shared from Substack accounts without their permission. The company reportedly discovered the breach on February 3, although hackers accessed the data as early as October 2025. This means the data had been in unauthorized access for approximately four months before Substack discovered the breach.
Best explained that Substack had fixed the system issue that allowed an unauthorized third party to access this data. The company has launched an investigation and is reportedly taking steps to prevent similar breaches in the future. Fortunately, Best claims that credit card numbers, passwords, and financial information were not compromised in the breach.
Best is not disclosing the scope of the breach. For that, we turn to BleepingComputer, which discovered a post from the “attacker” on the hacker forum BreachForums. The attacker published a database of 697,313 Substack records, claiming that Substack’s user base is much larger, but that the data collection method was “noisy and quickly patched.” The attacker claims the compromised data includes email addresses, phone numbers, names, user IDs, Stripe IDs, profile photos, and biographies—slightly more detailed information than Substack’s CEO’s report.
700,000 records isn’t the same as 700,000 users : each record is something like an email address or phone number, meaning a single Substack user could have lost many records in the breach. Still, it’s a large amount of data, and that’s of little comfort to the users who lost their information.
What can Substack do after this hack?
Unfortunately, after a data breach, there’s little users can do to prevent it. Data stolen from Substack is already lost and cannot be undone. However, there are several steps users can take to protect themselves after a breach and prevent similar data loss in the future.
First, carefully monitor your incoming text messages and emails. Hackers will use this data to target Substack users with phishing scams. If you receive messages from strangers or even suspicious messages purporting to be from Substack, be cautious. As always, never click links in messages from unknown senders and, more importantly, never download files or apps unless instructed to do so.
You might also want to consider hiding your email address in the future. Use services like Apple’s Hide My Email or DuckDuckGo’s Email Protection to generate a “temporary” address each time you need to share your email with a service. The service will send messages to this temporary address, which will be forwarded to your real address. This way, the service won’t know your real address and, if hacked, won’t be able to compromise it. Hackers will only have access to the temporary address, which you can disable at any time.