When you sign up for a subscription on Substack, you’re thinking you’ll receive newsletters and posts from online creators, not lose the data you share with the platform. But like any digital service, the data you provide when signing up is at the mercy of Substack, or anyone who happens to gain access to that data. Unfortunately, that’s now the case.
Substack may have lost nearly 700,000 user records
As reported by BleepingComputer, Substack recently disclosed a significant data breach. The company’s CEO, Chris Best, sent users a notice of the breach this week, sharing that email addresses, phone numbers, and “other internal metadata” were shared from Substack accounts without their permission. The company reportedly discovered the breach on Feb. 3, even though hackers accessed the data itself in October of 2025. That means the data was in unauthorized hands for roughly four months before Substack identified the breach.
Best explained that Substack has since fixed the problem with the system that allowed an unauthorized third party to access this data. The company is launching an investigation and is reportedly taking steps to prevent this type of breach from happening going forward. On the bright side, Best claims that credit card numbers, passwords, and financial information were not accessed in the breach.
What Best doesn’t share is the scope of the breach. For that, we have to turn to BleepingComputer, which found a post from a “threat actor” on the hacking forum BreachForums. The actor posted a database of 697,313 Substack records, sharing that the Substack user base is much larger, but the scraping method was “noisy and patched fast.” This actor says the data compromised includes email addresses, phone numbers, names, user IDs, Stripe IDs, profile pictures, and bios—a bit more detailed than the report from Substack’s CEO.
700,000 records isn’t the same as 700,000 users: Each record is something like an email address or a phone number, which means one Substack user could have lost multiple records in the breach. Still, it’s a large number of data points, and is little consolation to the users who have lost information here.
What do you think so far?
What Substack can do after this breach
Unfortunately, there’s not much users can do to mitigate a data breach once it’s happened. The data stolen from Substack is already lost, and you won’t be able to undo that. However, there are some steps you can take to protect yourself in the wake of the breach, and to prevent this data loss in the future.
First, closely monitor your incoming texts and emails. Hackers will take advantage of the data here to target Substack users in phishing schemes. If you receive messages from strangers, or even suspicious messages claiming to come from Substack, exercise caution. As per usual, never click on links in messages from senders you don’t know, and, even more importantly, never download files or applications if instructed.
You may also want to consider masking your email address going forward. Use a service like Apple’s “Hide My Email” or DuckDuckGo’s email protection to generate a “burner” address each time you need to share your email with a service. The service will send messages to the burner address, which gets forwarded to your real address. That way, the service doesn’t know your real address, and, if hacked, won’t compromise it. Hackers will only get the burner, which you can shut down at any time.
