Substack Data Breach Exposed Emails and Phone Numbers (Oct 2025, Found Feb 2026)

A Substack data breach exposed user email addresses and phone numbers, and the timing is the part that should make creators and subscribers pay attention. Substack says an unauthorized third party accessed “limited user data” in October 2025, but the company only identified evidence of the issue on February 3, 2026.

Why you should care: this is not a “they stole my password” story. Email plus phone is identity-layer data that attackers can use to aim phishing at you, try SIM swaps, and target high-value newsletter operators with scary, specific messages that look legit.

What Substack confirmed (and what it didn’t)

In the notification described by reporters, Substack CEO Chris Best said the company found evidence that a system issue let an “unauthorized third party” access limited user data, including email addresses, phone numbers, and other internal metadata. The Verge reported Best’s quote directly and framed it as a breach that primarily impacts user contact info.

Substack also said passwords and financial information were not accessed. That narrows the immediate blast radius, because it suggests attackers did not walk away with login secrets or payment card data they could drain directly. But it does not mean there is “no harm done.” For a platform built on direct creator to subscriber contact, emails and phone numbers are the perfect ingredients for targeted social engineering.

What Substack did not provide publicly, at least in the reporting so far, is the kind of detail users need to size up their risk precisely:

• No confirmed count of affected users in the notice described by journalists
• No clear root cause or attack vector, beyond “a problem with our systems”
• No field-by-field scope for what “other internal metadata” includes

That missing scope matters because a paid newsletter operator with a public profile is a different target than a casual reader. Without numbers and specifics, everyone has to assume they might be in the impacted group.

Timeline and why the delay matters

Substack’s timeline is straightforward but uncomfortable: access happened in October 2025, and Substack says it identified evidence on February 3, 2026. TechCrunch reported that Substack confirmed the breach and the exposed data types, and that the company says it has addressed the underlying security issue and is investigating and strengthening its systems.

A months-long gap between access and discovery changes the practical risk for users. It gives attackers time to clean, organize, and enrich the data. An email and phone number list becomes much more powerful once it is cross-referenced with public bios, social accounts, domain records, prior leaks, and payment-facing contact details creators use for their businesses.

It also means you might be seeing the impact already and not connecting it to Substack. If you recently got a “subscription failed” text, a fake “Substack support” email, or a strange carrier message about your number being moved, this breach is the kind of fuel that makes those scams more convincing.

Real-world risks: phishing, SIM swaps, creator-targeting

Email addresses and phone numbers are useful because they help attackers get a foot in the door elsewhere. They can:

• Send spear-phishing that references your publication name, subscriber status, or paid plan to trick you into handing over passwords
• Attempt account recovery on other services where your phone number is the backup factor
• Push SIM swap or port-out attempts, then intercept one-time codes for email, banking, social, or creator tools
• Harass creators directly with doxxing-adjacent intimidation because the phone number makes threats feel “closer”

If you want a quick defense plan that actually moves the needle, do this now:

• Assume your email and phone are compromised identifiers. Be skeptical of any message claiming to be Substack, especially urgent “account locked” or “payout issue” prompts.
• Turn on multi-factor authentication wherever you can, and prefer an authenticator app over SMS codes.
• Add a carrier port-out PIN or account lock with your mobile provider. This is the most direct way to reduce SIM swap risk.
• Check your email account security (Gmail, Outlook, etc.). If an attacker takes your email, they can reset passwords everywhere.
• Stop reusing passwords. Even though Substack says passwords were not accessed, attackers will try your email on other sites using old leaked password combos.

One more wrinkle: a threat actor has claimed the incident involved about 700,000 users, but that number is not verified and is not a confirmed Substack figure. Still, the uncertainty is its own reason to be cautious. When you do not know whether you are in the affected pool, you treat it like you are and harden your accounts.

The takeaway is simple: this breach is about targeting, not immediate theft. Substack says it fixed the security issue, but for users, the safest move is to act like your email and phone are now public to attackers, and to lock down the accounts that matter most. Longer term, creator platforms need faster detection and clearer scope disclosures, because “limited data” can still cause very real damage.