Substack Data Breach Exposes 697K User Records—What You Need to Know

The digital publishing platform Substack has disclosed a significant data breach that exposed personal information for hundreds of thousands of its users. The incident, which occurred in October 2025 but wasn’t detected until February 3, 2026, involved the unauthorized access of email addresses and phone numbers for approximately 697,000 accounts. No passwords, financial details, or payment information were compromised, according to the company’s CEO.

Substack’s confirmation comes as stolen records allegedly surfaced on underground hacker forums, raising concerns about potential misuse. While the company has fixed the security vulnerability and is conducting a full investigation, users are being advised to stay alert for suspicious communications, including phishing attempts via email or text.

The breach underscores ongoing risks in digital platforms, where delays in detection can extend exposure. Substack’s response highlights a growing trend: even well-established services are not immune to data leaks, and vigilance from both companies and users is critical.

Key Details of the Breach

• Scope: Email addresses and phone numbers for ~697,000 users exposed.
• Timing: Attack occurred in October 2025; breach discovered February 3, 2026.
• Data compromised: No passwords, financial data, or payment details leaked.
• Internal response: Security flaw patched; investigation underway.
• User action: Monitor for phishing attempts; no confirmed misuse reported.

Substack’s CEO emphasized that while the breach was limited in scope, the company is taking steps to enhance security measures. However, the delay between the attack and detection raises questions about how such vulnerabilities are identified and addressed in real time. For users, the immediate takeaway is straightforward: remain cautious of unsolicited messages and consider enabling additional security layers, such as two-factor authentication, if not already in place.

As digital platforms continue to evolve, incidents like this serve as a reminder of the importance of proactive security practices—not just for corporations, but for individuals managing their online presence. Substack has not yet provided a full count of affected users, leaving some uncertainty about the extent of the exposure.