Substack Confirms Data Breach: 697,000 User Records Exposed Including Email Addresses and Phone Numbers

The popular newsletter platform Substack has confirmed a significant data breach that exposed the personal information of hundreds of thousands of users. In what security researchers are describing as a serious incident for the publishing industry, an unauthorized third party accessed user data including email addresses, phone numbers, and extensive internal metadata—all while Substack remained unaware for nearly four months.

CEO Chris Best disclosed the breach in an email to affected users on February 5, 2026, apologizing for the company "coming up short" on its responsibility to protect user data. The admission came just days after a threat actor leaked what appears to be 697,313 user records on the notorious hacking forum BreachForums.

What Happened: A Four-Month Blind Spot

The breach timeline reveals a troubling gap between when attackers gained access and when Substack discovered the intrusion:

October 2025: An unauthorized third party first accessed Substack's systems and began extracting user data. The company remained completely unaware of the intrusion during this time.

February 2, 2026: A threat actor using the alias "w1kkid" posted on BreachForums claiming to have scraped Substack's database, uploading a CSV file containing approximately 697,313 user records. The post included sample data to verify the leak's authenticity.

February 3, 2026: Substack finally "identified evidence of a problem" with their systems—three days after the data appeared on a public hacking forum. This suggests the company may have discovered the breach only after being alerted to the public leak, rather than through their own security monitoring.

February 5, 2026: CEO Chris Best sent notification emails to affected users, acknowledging the security incident and apologizing for the breach.

The four-month "dwell time" between initial compromise and detection raises serious questions about Substack's security monitoring capabilities. As Jamie Akhtar, CEO of CyberSmart, noted: "The timeline is significant. If the data was accessed in October 2025, but only just disclosed, it's a significant dwell time."

Security experts have pointed out that this extended period gave attackers ample opportunity to exfiltrate data, potentially conduct reconnaissance for future attacks, and establish persistence within Substack's systems.

Who Was Affected: A Platform of High-Value Targets

Substack isn't just any social platform—it's become the de facto home for independent journalists, academics, public intellectuals, and subject matter experts. This makes the breach particularly concerning from both a privacy and national security perspective.

Platform Scale

According to Substack's own figures:

• 50+ million active subscriptions across the platform
• 5 million paid subscriptions (milestone reached in March 2025)
• 20 million active monthly users
• 17,000+ writers earning money from the platform
• Estimated 35 million active readers worldwide

While Substack has not confirmed the exact number of affected users, the leaked database reportedly contains approximately 697,313 records. This suggests the breach impacted a significant subset of the platform's user base, though not all users may have been affected.

High-Value Targets

Analysis of the leaked data samples by security researchers at Hackread revealed records belonging to:

• Active publishers with monetized newsletters
• Professional journalists and academics
• At least one US government-associated email address
• Long-time users with accounts dating back to 2018
• Users from multiple countries with verified phone numbers

The presence of creator accounts in the breach is especially concerning. These users often have significant audiences, public personas, and financial relationships with subscribers—making them prime targets for impersonation attacks, business email compromise schemes, and targeted phishing campaigns.

What Data Was Exposed: Far More Than Substack Initially Implied

While Substack's initial notification described the breach as exposing "limited user data" including "email addresses, phone numbers, and other internal metadata," independent analysis of the leaked database tells a more concerning story.

Confirmed Exposed Data Types

Based on analysis by Hackread and other security researchers who examined the BreachForums leak:

Personal Identifiers:

• Full names
• Email addresses (verified)
• Phone numbers (for users in multiple countries)
• Profile pictures (hosted on Substack's S3 buckets)
• User biographies

Account Information:

• Unique numeric user IDs
• Account creation timestamps
• Account update timestamps
• Newsletter handles (for publishers)
• Publisher agreement acceptance timestamps

Platform Metadata:

• Stripe platform customer IDs (linking accounts to payment systems)
• Notification preferences
• Subscription metadata
• Moderation flags
• Session version information
• Captcha completion status

Internal System Flags:

• is_global_admin
• is_ghost
• is_globally_banned
• Other backend indicators

What Was NOT Exposed

Substack has emphasized that the following data types were not accessed:

• Passwords (Substack primarily uses passwordless "magic link" authentication)
• Credit card numbers
• Bank account information
• Other direct financial data

The Stripe ID Problem

Security researcher Arvid Kahl raised immediate concerns about the exposed Stripe platform customer IDs on Twitter:

"The issue with data breach notifications like this one from Substack is that financial data and passwords are listed as 'not leaked.' Great, now there's just a list of emails paired with phone numbers. In a world of 2FA & SIM swaps, email + phone IS critical data."

While Stripe IDs don't directly expose payment card details, they create a correlation between identity information and payment systems. This connection significantly increases the data's value to attackers, enabling:

• More sophisticated social engineering attacks
• Potential credential stuffing against Stripe accounts
• Business email compromise targeting creators' financial relationships

The Metadata Question

The term "internal metadata" in Substack's disclosure is deliberately vague. Hackread's analysis found backend flags and internal system indicators that would not be visible on public profile pages—suggesting the breach involved access to internal systems or data exports rather than simple scraping of public profiles.

As Javvad Malik, lead security awareness advocate at KnowBe4, observed: "It is a bit light on the details which can help people accurately judge the risk and take concrete action."

Substack's Response: Damage Control Mode

Substack's response to the breach has been measured but notably lacking in technical details.

Official Statement

In his email to users, CEO Chris Best stated:

"I'm reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission. I'm incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here."

The company also stated:

• The vulnerability has been patched
• A full investigation is underway
• Steps are being taken to improve systems and processes
• No evidence of data misuse has been found "so far"

What's Missing

Notably absent from Substack's response:

• Total number of affected users — The company has not confirmed or denied the 697,313 figure
• Technical details about the vulnerability exploited
• How the breach was discovered — Whether through internal monitoring or external notification
• Why detection took four months
• Whether attackers maintained persistent access
• Plans for credit monitoring or identity protection services
• A public blog post or press release — The company has limited communication to direct emails

When pressed for details, Substack provided only a generic statement: "We cannot share specifics about our security systems and processes, but we can confirm that the issue has been resolved and safeguards have been put in place to help prevent this issue from happening again."

No Public Announcement

As of publication, Substack has not posted any public acknowledgment of the breach on its website, blog, or social media channels. The company appears to be limiting disclosure to direct emails to affected users—a approach that some security experts view as inadequate transparency.

What You Should Do Now: Immediate Protection Steps

If you have a Substack account—whether as a reader, subscriber, or publisher—you should take immediate steps to protect yourself.

1. Assume You're Affected

Even if you haven't received a notification email from Substack, the company hasn't disclosed the full scope of the breach. Err on the side of caution and assume your data may have been exposed.

2. Prepare for Phishing Attacks

The combination of email addresses, phone numbers, and detailed profile information creates perfect conditions for targeted phishing. Expect attackers to:

• Send emails that reference your specific Substack activity, newsletter subscriptions, or bio information
• Create urgency by claiming account suspension, payment issues, or security alerts
• Spoof Substack, Stripe, or individual newsletter publishers
• Send SMS messages (smishing) to phone numbers in the database

Protection tips:

• Never click links in emails claiming to be from Substack—type substack.com directly in your browser
• Don't respond to messages requesting passwords, verification codes, or payment details
• Be especially suspicious of messages that reference specific details about your account
• Verify any "urgent" requests through official channels

3. Enable Multi-Factor Authentication

If you haven't already, enable MFA on your Substack account:

1. Log in to Substack
2. Go to Settings > Account
3. Enable two-factor authentication using an authenticator app (not SMS-based 2FA)

Using app-based authentication (Google Authenticator, Authy, etc.) is crucial because the breach exposed phone numbers, making SMS-based 2FA vulnerable to SIM-swapping attacks.

4. Check for Password Reuse

While Substack primarily uses passwordless authentication, some older accounts (created before 2023) may have passwords. If you use a password for Substack that you've reused elsewhere:

• Change those passwords immediately
• Use unique passwords for every account going forward
• Consider a password manager

5. Monitor Your Stripe Account

If you're a Substack creator using Stripe for payments:

• Review your Stripe dashboard for any suspicious activity
• Enable all available Stripe security notifications
• Watch for unauthorized payment requests or account changes
• Contact Stripe support if you notice anything unusual

6. Watch for SIM Swap Attacks

With both email addresses and phone numbers exposed, attackers could attempt SIM swap attacks to bypass 2FA and take over accounts:

• Contact your mobile carrier to add additional security (PIN, security questions)
• Consider freezing your number against port-out requests
• Be alert to unexplained loss of cell service—this could indicate an ongoing attack

7. Monitor for Identity Theft

Given the breadth of personal information exposed:

• Consider placing a fraud alert or credit freeze with major credit bureaus
• Monitor your accounts for unauthorized activity
• Watch for new accounts opened in your name

Lessons for Other Platforms: The Security Debt Comes Due

The Substack breach offers important lessons for other platforms in the creator economy—and for users who trust them with their data.

The Four-Month Problem

Substack's failure to detect the breach for four months illustrates a common security gap: insufficient monitoring and logging. Modern security operations should include:

• Real-time alerting on unusual data access patterns
• Behavioral analytics to detect anomalous activity
• Regular security audits and penetration testing
• Comprehensive logging with sufficient retention

The fact that Substack may have learned of the breach only after data appeared on a public forum suggests serious gaps in their security monitoring infrastructure.

"Magic Links" Aren't Magic

Substack's passwordless authentication system, which uses email-based "magic links," eliminates one attack vector (password breaches) but creates others. When the underlying email addresses are compromised, the entire authentication model is weakened. Platforms relying on passwordless auth should:

• Implement additional verification for sensitive actions
• Offer robust MFA options beyond email
• Monitor for signs of account takeover even without password compromises

The Metadata Myth

Substack's description of exposed data as "internal metadata" downplays the risk. Backend system flags, Stripe IDs, moderation status, and notification preferences aren't innocuous technical details—they're valuable intelligence for social engineering attacks. Platforms should:

• Apply data minimization principles to all collected information
• Treat all user data as potentially sensitive
• Be transparent about exactly what was exposed in breach notifications

Stripe IDs and Third-Party Risk

The exposure of Stripe platform customer IDs highlights how interconnected systems create compound risks. A breach of one platform can affect security across the entire ecosystem of connected services. Platforms should:

• Minimize the exposure of third-party identifiers
• Assess how breaches could cascade across integrated services
• Coordinate disclosure with affected third parties

Previous Incidents Matter

This isn't Substack's first security incident. In July 2020, the company accidentally exposed user email addresses by putting them in the CC field instead of BCC when sending a policy update. While that incident was an accident rather than an attack, it demonstrated operational security weaknesses that should have prompted broader security improvements.

Organizations with prior security incidents should:

• Conduct thorough post-mortems that address root causes
• Invest in security infrastructure proportional to their user base and data sensitivity
• Treat every incident as an opportunity to prevent future breaches

The Broader Context: Newsletter Platforms as High-Value Targets

The Substack breach comes at a critical moment for the creator economy. As traditional media continues to struggle, platforms like Substack have become essential infrastructure for independent journalism and expert analysis.

Why Newsletter Platforms Are Attractive Targets

• Concentrated high-value users: Journalists, academics, and public figures
• Financial data connections: Subscription revenue and payment processing
• Audience data: Detailed information about reader demographics and interests
• Trust relationships: Readers trust newsletters in their inbox, making phishing more effective
• Limited security resources: Many creator platforms prioritize features over security

The "Important Journalist" Attack Vector

Security researchers have long warned that journalists and academics are prime targets for state-sponsored and sophisticated criminal hacking groups. A database linking journalists to their email addresses, phone numbers, and subscriber relationships is exactly the kind of intelligence that would be valuable for:

• State-sponsored surveillance operations
• Targeted spear-phishing campaigns
• Source identification and exposure
• Disruption of independent media

Trust in the Creator Economy

The breach fundamentally challenges the trust model that platforms like Substack depend on. Creators trust Substack with their audience relationships and revenue streams. Readers trust the platform with their contact information and payment details. When that trust is broken, the entire ecosystem suffers.

What Happens Next

Substack has indicated that its investigation is ongoing, and the full scope of the breach may not yet be known. Users should expect:

• Possible expansion of affected users as forensic analysis continues
• Potential regulatory scrutiny depending on the jurisdictions of affected users
• Class action litigation is common following breaches of this scale
• Continued targeting of Substack users by attackers using the leaked data

The leaked database is reportedly already circulating on Russian-speaking cybercrime forums and Telegram channels, according to Hackread's analysis. Once data is in the wild, it never truly disappears—it gets aggregated with other breaches, enriched with additional information, and used for attacks for years to come.

Conclusion

The Substack breach serves as a stark reminder that in 2026, no platform is immune to security incidents—and that the creator economy needs to take security seriously. With approximately 697,000 user records exposed, including the personal information of journalists, academics, and creators with significant audiences, the potential for harm extends far beyond simple spam.

For affected users, the most important steps right now are enabling app-based MFA, preparing for sophisticated phishing attempts, and securing related accounts (especially Stripe for publishers). Don't wait for Substack's investigation to conclude—assume you're at risk and act accordingly.

For the broader industry, this breach should be a wake-up call. Platforms handling sensitive user data need to invest in security monitoring, reduce detection times, and be transparent about incidents when they occur. The four-month blind spot that allowed this breach to fester undetected is exactly the kind of security debt that eventually comes due.

Key Takeaways

• 697,313 user records reportedly leaked on BreachForums
• Breach occurred in October 2025, discovered February 3, 2026 (4-month gap)
• Exposed data includes: emails, phone numbers, Stripe IDs, profile info, internal metadata
• Not exposed: passwords, credit card numbers, financial data
• Enable app-based MFA immediately (not SMS-based)
• Expect targeted phishing using your specific account information
• Monitor for SIM swap attacks given exposed phone numbers

Have you been affected by the Substack breach? Contact our security team.