Substack, a popular platform for independent writers and experts, recently confirmed a data breach that exposed user email addresses, phone numbers, and internal metadata. While the company stated that passwords and financial records remained secure, the unauthorized access occurred in October 2025 and went undetected for four months.

The publishing giant Substack has officially notified its community of a security incident involving the unauthorized access of user data. This platform, which serves as a primary hub for journalists and academics, discovered the breach on February 3 after identifying a vulnerability in its internal systems. This flaw allowed an outside party to extract contact details and various forms of metadata belonging to an unspecified number of creators and subscribers.

Company officials have clarified that the actual intrusion took place back in October 2025. This timeline indicates that sensitive contact information was potentially in the hands of third parties for several months before the gap was identified and closed. Despite the duration of the exposure, the platform has assured its users that the most sensitive categories of data, such as login passwords and credit card information, were not compromised during the event.

In a direct communication to affected individuals, CEO Chris Best explained that the technical weakness exploited by the intruders has since been repaired. The company is currently engaged in a comprehensive investigation to determine the full scope of the incident. Furthermore, the leadership team expressed a commitment to upgrading their security protocols and internal processes to ensure a similar lapse does not occur as the platform continues to grow.

The notification emphasized that there is currently no evidence suggesting the stolen information has been used for malicious purposes. However, the nature of the data involved—specifically email addresses and phone numbers—puts users at a higher risk for targeted phishing attempts or social engineering scams. Because this information was exposed for a significant period, the company is urging its user base to remain vigilant against suspicious communications.

Moving forward, Substack intends to monitor the situation closely while cooperating with security experts to fortify its infrastructure. Users are being encouraged to exercise caution with unsolicited messages and to report any unusual activity tied to their accounts. The incident highlights the ongoing challenges faced by major digital publishing platforms in protecting the privacy of high-profile contributors and their global audiences.

Source: Substack Data Breach Exposes User Emails And Phone Numbers