Substack, a popular newsletter platform, has confirmed a data breach that exposed users’ email addresses and phone numbers. In an email to users, the company disclosed that an unauthorized third party accessed this data, along with other internal metadata, in October. Sensitive information such as credit card numbers, passwords, and financial details remained unaffected.
Substack Chief Executive Chris Best notified users about the incident. He stated that the company identified the security issue in February, which allowed unauthorized access to its systems. Best announced that Substack has since fixed the problem and launched an investigation. In the email, Best wrote: “I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission.” He added: “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”
Substack has not disclosed the exact nature of the system vulnerability or the full scope of the breach. The company took five months to detect the issue, though it provided no explanation for the delay. There is no indication that hackers demanded a ransom. TechCrunch sought additional details from Substack but received no further response at the time of reporting.
The platform did not specify how many users were impacted. Substack reported no evidence of data misuse but offered no details on detection methods, such as system logs. It advised users to exercise caution with unsolicited emails and text messages lacking clear indicators.
Substack reached a milestone last March with more than 50 million active subscriptions, including 5 million paid subscriptions. In July 2025, the company raised $100 million in Series C funding. The round was led by BOND and The Chernin Group, with participation from Andreessen Horowitz (a16z), Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.
