Substack Data Breach: Uncovering the Exposure of User Emails and Phone Numbers

Substack Data Breach: User Information Exposed

Substack, a popular platform for newsletter creators, recently informed some users that their email addresses and phone numbers were compromised in a security incident that occurred in October 2025. According to Substack CEO Chris Best, a hacker gained unauthorized access to internal data, but sensitive information like passwords and credit card details remained secure.

In an email to affected users, Best disclosed that on February 3rd, the company discovered a vulnerability in their systems that allowed a third party to retrieve limited user data, including email addresses and phone numbers. While there is no evidence of misuse, users are advised to remain vigilant against suspicious emails or text messages.

Substack has taken steps to address the security issue and is currently conducting a thorough investigation to enhance its systems and prevent similar incidents in the future. Although specific details about the breach were not disclosed, efforts are being made to safeguard user data. Some users, including myself and several colleagues from The Verge who are also Substack users, did not receive the notification email and have requested clarification from Substack.

Expressing regret over the incident, Best emphasized Substack’s commitment to protecting user data and privacy. He acknowledged the company’s failure in this instance and assured users that measures are being implemented to prevent future breaches.