Substack Discloses October Breach Exposing User Emails and Phone Numbers

Substack has confirmed that an October 2025 security incident allowed an unauthorized third party to access users’ email addresses, phone numbers and internal account metadata, a breach the company says it did not detect until Feb. 3, 2026. In an email to affected users shared with Fox by CEO and cofounder Chris Best, Substack apologized, said the underlying 'system issue' has been fixed, and emphasized that passwords, credit card numbers and other financial data were not accessed. The four‑month gap between the intrusion and its discovery raises fresh questions about logging, monitoring and incident‑response practices at a platform heavily used by U.S. journalists, independent writers and newsletter subscribers. While Substack says it has no evidence the exposed data is being misused, security experts note that verified emails and phone numbers are prime fuel for targeted phishing and impersonation scams that can lead to account takeovers or broader compromises. Users are being warned to treat unsolicited messages referencing Substack subscriptions or billing with extra skepticism and to harden their other accounts in case these identifiers are cross‑matched in future attacks.