Substack: Substack data breach exposed users’ emails and phone numbers

Substack Discloses 2025 Data Breach Exposing User Email Addresses and Phone Numbers

Substack has notified select users that their email addresses and phone numbers were exposed in a security incident last October. In an email sent to affected account holders, CEO Chris Best confirmed that an unauthorized third party accessed internal data on February 3, 2025, though passwords, credit card details, and financial information remained secure.

The breach involved email addresses, phone numbers, and internal metadata, but Substack stated there is no evidence the data has been misused. The company has since patched the vulnerability and is conducting a full investigation while strengthening its security measures to prevent future incidents. No details were provided on the root cause of the breach or the total number of impacted users.

Best apologized for the incident, acknowledging the company’s failure to adequately protect user data. Substack has not yet responded to requests for further clarification on the scope of the breach.

Source: https://www.theverge.com/tech/874255/substack-data-breach-user-emails-phone-numbers

Substack cybersecurity rating report: https://www.rankiteo.com/company/substack

"id": "SUB1770295740",
"linkid": "substack",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Publishing/Technology',
                        'name': 'Substack',
                        'type': 'Company'}],
 'customer_advisories': 'Email notification sent to affected users',
 'data_breach': {'personally_identifiable_information': 'Email addresses, '
                                                        'phone numbers',
                 'sensitivity_of_data': 'Moderate (PII but no financial data)',
                 'type_of_data_compromised': 'Email addresses, phone numbers, '
                                             'internal metadata'},
 'date_detected': '2025-02-03',
 'description': 'Substack has notified select users that their email addresses '
                'and phone numbers were exposed in a security incident last '
                'October. An unauthorized third party accessed internal data '
                'on February 3, 2025, though passwords, credit card details, '
                'and financial information remained secure. The breach '
                'involved email addresses, phone numbers, and internal '
                'metadata, but there is no evidence the data has been misused.',
 'impact': {'brand_reputation_impact': 'Acknowledged failure to protect user '
                                       'data',
            'data_compromised': 'Email addresses, phone numbers, internal '
                                'metadata',
            'payment_information_risk': 'None (credit card details and '
                                        'financial information remained '
                                        'secure)'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'corrective_actions': 'Strengthening security '
                                                  'measures'},
 'references': [{'source': 'Substack Notification Email'}],
 'response': {'communication_strategy': 'Email notification to affected users',
              'containment_measures': 'Patched the vulnerability',
              'remediation_measures': 'Strengthening security measures'},
 'threat_actor': 'Unauthorized third party',
 'title': 'Substack 2025 Data Breach Exposing User Email Addresses and Phone '
          'Numbers',
 'type': 'Data Breach'}