Publishing platform Substack has admitted that it suffered a data breach some months ago. In an email sent out to users, company CEO Chris Best explained that the phone numbers and email addresses of some account holders had been accessed by an intruder.
He says of the situation, “that sucks”, and seeks forgiveness from those affected by the security breach. What is interesting about the breach is that it is not something that has just occurred.
While Best has sent the apologetic email just now, the security incident dates back to October 2025. Substack has not been sitting on information about the breach for all those months, however – the incident was only discovered in the last couple of days.
The email sent out by Substack reads:
I’m reaching out to let you know about a security incident that resulted in the email address from your Substack account being shared without your permission. This sucks. I’m sorry. We will work very hard to make sure it does not happen again.
The email does not go into a great deal of detail about what is known about the incident, but Best is at pains to stress the limited nature of the data that was accessed:
This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed.
While Substack is not being open about the number of affected users, Bleeping Computer has shared details that were revealed elsewhere online:
Although Substack has yet to share how many users were affected by the incident, on Monday, a threat actor leaked a database on the BreachForums hacking forum containing 697,313 records of allegedly stolen data.
At the moment we know nothing about the possible identity of the “unauthorized third party” responsible for the breach. The good news, however, is that Substack says that it has now patched the vulnerability that made the breach possible in the first place.
Best explains in his email:
We have fixed the problem with our system that allowed this to happen. We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious.
