Substack is facing mounting scrutiny after disclosing a security breach that exposed user email addresses, phone numbers and internal metadata — an incident that went undetected for months and is now sparking concern across the platform’s community.
The newsletter platform said attackers accessed its systems in October 2025, but evidence of the intrusion was only discovered on Tuesday.
In a message sent to users, CEO Chris Best acknowledged the lapse.
I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission… I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”
Chris Best, Substack CEO.
Substack said passwords, financial details and credit card information were not accessed, limiting exposure to contact data and internal metadata. It has since fixed the vulnerability and launched an investigation, but has not disclosed how many users were affected or how attackers exploited the flaw.
The news has already prompted reaction across X, where creators and subscribers questioned how long the breach went unnoticed and what protections users should expect from newsletter platforms that depend on trust and direct relationships with paying audiences.
Security experts say the delay between the October intrusion and February discovery is particularly troubling. Jamie Akhtar, CEO of CyberSmart, said, “One of the more concerning aspects of this incident is the delay between the initial breach and its discovery.
Detection gaps create a longer window for attackers to exploit stolen data, often before victims are even aware there is a problem.”
Newsletter platforms are attractive targets because they aggregate engaged audiences and valuable contact lists. Chris Hauk, consumer privacy advocate at Pixel Privacy, warned that even limited data could be weaponized.
“While we don't know exactly how many Substack content creators or users were affected by the breach, it appears only superficial contact information was harvested… That said, the email addresses and phone numbers… could be used… to launch phishing attacks via text or email.”
Paul Bischoff, consumer privacy advocate at Comparitech, said the risk is indirect but real:
“Substack users should be on the lookout for targeted phishing emails and scams.”
Substack hosts tens of millions of subscriptions globally, making any data exposure significant. The company has not confirmed whether it will offer identity protection services, notify regulators, or involve law enforcement — leaving creators and readers waiting for answers as the investigation continues.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked