Newsletter platform Substack has confirmed a significant data breach, revealing that an unauthorized third party accessed user email addresses, phone numbers, and unspecified "internal metadata" in October 2025. The company only discovered this security incident in early February 2026, subsequently notifying affected users via email.
Crucially, Substack stated that more sensitive information, such as credit card numbers, passwords, or other financial data, was not compromised during the breach.
Substack CEO Addresses Users
Substack CEO Chris Best addressed users directly in an email, acknowledging the "security incident" that led to the unauthorized sharing of email addresses and phone numbers from user accounts. Best stated that the company identified the system vulnerability in February and has since fixed the problem, initiating a full investigation.
"I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission," Best wrote to users. "I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here."
Unanswered Questions Remain
Several critical details surrounding the breach remain unclear. Substack has not disclosed the exact nature of the system vulnerability, the precise scope of the "internal metadata" accessed, or the total number of users affected. Questions also persist regarding the five-month delay between the October 2025 access and the February 2026 discovery, and whether any ransom demands were made.
While Substack claims to have no evidence of data misuse, it has not specified the technical methods used to ascertain this. The company advised users to exercise caution with suspicious emails and texts, though without providing specific indicators to look for.
Company Background
Substack, a prominent player in the creator economy, boasts over 50 million active subscriptions, including 5 million paid subscriptions — a milestone it reached last March. The platform secured a significant $100 million in Series C funding in July 2025, led by BOND and The Chernin Group (TCG), with additional investment from a16z, Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.
