Article Details

Substack says intruder lifted emails, phone numbers in months-old breach. Contact details were accessed in an intrusion that went undetected for months, the blogging outfit says. Newsletter platform Substack has admitted that an intruder swiped user contact details months before the company noticed, forcing it to warn writers and readers that their email addresses and other account metadata were accessed without permission. The disclosure arrived in an email this week from Substack CEO Chris Best to affected users, who acknowledged the lapse in unusually no-frills language. "I'm reaching out to let you know about a security incident that resulted in the email address from your Substack account being shared without your permission," Best said in the message, seen by The Register. "This sucks. I'm sorry. We will work very hard to make sure it does not happen again." According to the company, an "unauthorized third party" accessed limited user data during October 2025. The incident was not detected until February 3, when Substack reported that it had uncovered evidence that its systems had been compromised. The exposed information includes email addresses, phone numbers, and internal account metadata. Substack maintains that passwords, credit card numbers, and financial data were not touched. The company says that it has since patched the vulnerability that allowed access and has launched a full internal investigation. It also claims there is currently no evidence that the stolen data is being actively misused, though it is urging users to remain alert for suspicious emails or phishing attempts. Substack's confirmation comes after a threat actor posted a dataset they said had been stolen from the platform. A post on a cybercrime forum advertised nearly 700,000 alleged user records, including names, email addresses, phone numbers, user IDs, and profile images.  It's still unclear whether the trove of data circulating online is connected to the breach Substack has acknowledged. The company did not respond to questions from The Register asking how many users might be affected, what categories of data may have been exposed, or whether the October intrusion matches the information that later surfaced publicly. The breach could prove particularly damaging for Substack, whose business depends on trust between writers and subscribers. Mailing lists sit at the core of that model, and if compromised, they could provide scammers with a ready-made catalogue of highly engaged readers.