Substack Data Breach Exposes User Email Addresses and Phone Numbers
In a recent disclosure, Substack, the prominent newsletter platform, has confirmed a security breach that compromised user data, including email addresses, phone numbers, and unspecified internal metadata. The breach, which occurred in October, was identified in February, prompting the company to take immediate corrective measures and initiate a thorough investigation.
Details of the Breach
Substack’s CEO, Chris Best, communicated the incident to users via email, expressing deep regret over the unauthorized access to their personal information. He emphasized the company’s commitment to data protection and acknowledged the shortfall in this instance. Notably, more sensitive information such as credit card details, passwords, and other financial data remained secure and unaffected by the breach.
Scope and Response
The exact number of affected users has not been disclosed. Substack has stated that there is no evidence of misuse of the compromised data. However, the company has advised users to remain vigilant against potential phishing attempts and to exercise caution with unsolicited communications.
Company Background
Substack has experienced significant growth, boasting over 50 million active subscriptions, including 5 million paid subscribers as of March. In July 2025, the company secured $100 million in Series C funding, led by BOND and The Chernin Group, with contributions from a16z, Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.
Industry Context
This incident adds to a series of data breaches affecting major companies. For instance, in February 2025, Grubhub disclosed a breach impacting customers and drivers, while in January 2025, UnitedHealth confirmed a ransomware attack affecting approximately 190 million Americans. These events underscore the critical importance of robust cybersecurity measures in protecting user data.
User Recommendations
In light of this breach, Substack users are encouraged to:
– Be Cautious: Remain alert to suspicious emails or messages requesting personal information.
– Verify Communications: Confirm the authenticity of communications claiming to be from Substack.
– Monitor Accounts: Regularly review account activity for any unauthorized actions.
Conclusion
Substack’s recent data breach serves as a stark reminder of the ongoing challenges in digital security. The company’s proactive response and commitment to transparency are commendable steps toward rebuilding user trust. As cyber threats continue to evolve, both companies and users must remain vigilant and proactive in safeguarding personal information.
