Substack is notifying some users of a “security incident” that exposed their email addresses and phone numbers. The incident occurred in October 2025, when a hacker accessed internal data without authorization.
According to an email sent by Substack CEO Chris Best to account holders, the breach was discovered on February 3rd. Best stated that the unauthorized access allowed the hacker to obtain “limited user data” including email addresses, phone numbers, and internal metadata. However, he assured users that passwords, credit card numbers, and other financial information remain secure. In the email, Best explained that “On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata.”
The impact of the breach is still being assessed, but Substack has begun notifying affected users. The company will likely face scrutiny over the incident, and users may need to take additional steps to protect their sensitive information. As the situation develops, Substack will likely provide further updates on the measures being taken to prevent similar incidents in the future.
Leave a Reply