Pierluigi Paganini
February 05, 2026
Substack is an online platform for publishing email‑based newsletters and blogs, with built‑in paid subscriptions and basic analytics. It’s free to start; creators pay a fee on paid plans. In 2026 it’s estimated to serve tens of thousands of writers and over 35 million active readers worldwide.
Substack disclosed a security incident affecting email addresses, phone numbers, and internal metadata. The company discovered the security breach on February 3rd, 2026, but the incident occurred in October 2025. According to the message sent by CEO Chris Best to the impacted individuals, passwords and financial data were not exposed.
“I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission.” reads the message sent to the impacted individuals. “On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata. This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed.“
On a cybercrime forum a threat actor claimed to have stolen nearly 700,000 records from the company, including names and contacts.
The company launched an investigation into the security breach and took steps to enhance the security of its infrastructure.
“We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future.” concludes the message. “What you can do. We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious.”
There is no evidence of misuse so far, but users are advised to stay alert and be cautious of any suspicious emails or text messages.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
APT / February 05, 2026
