Substack confirms data breach affects users’ email addresses and phone numbers

Newsletter platform Substack has confirmed a data breach and notified users in an email. The company said that in October, an “unauthorised third party” gained access to specific user information, including email addresses, phone numbers, and other unspecified “internal metadata.”

Substack emphasised that no sensitive information was affected by the incident. According to the company, data such as credit card details, account passwords, and other financial information remained secure and was not accessed.

In a message sent directly to users, Substack co-founder and chief executive Chris Best said the company discovered the vulnerability in February that allowed an external party to access its systems. Substack has since fixed the issue and launched an internal investigation to understand better what happened.

“I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission,” Best wrote in the email to users. “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”

The company has not disclosed specific details about the technical issue that led to the breach or the full scope of the data that may have been accessed. It is also unclear why it took roughly five months for the company to detect the intrusion, or whether Substack received any ransom demands from the attackers. TechCrunch contacted the company for further clarification and said it would update its reporting if additional information becomes available.

Substack did not say how many users were affected by the breach. While the company stated that it has no evidence that the exposed data is currently being misused, it did not explain the technical measures it uses to detect potential abuse, such as system logs or monitoring tools. Even so, Substack advised users to be cautious when receiving emails or text messages, tbutdid not provide specific warning signs to look for.

According to information published on its website, Substack has more than 50 million active subscriptions, including over 5 million paid subscriptions, a milestone the company reached last March. In July 2025, Substack raised $100 million in Series C funding led by BOND and The Chernin Group, with participation from Andreessen Horowitz, Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.