Substack Confirms Breach Exposing Emails And Phone Numbers

Gregory Zuckerman
By Gregory Zuckerman
Technology
6 Min Read

Substack has confirmed a data breach that exposed user contact details, including email addresses and phone numbers, after an unauthorized party accessed internal data. The company says it has no evidence that passwords, credit card numbers, or other financial information were compromised, and it is notifying affected users directly.

What Was Exposed And What Was Not In The Breach

According to the company’s message to users, the exposed data includes email addresses, phone numbers, and internal metadata tied to Substack accounts. Substack emphasizes that authentication credentials and payment information were not accessed, suggesting the incident was more akin to a contact list and account metadata leak than a full account takeover scenario.

Table of Contents
A white bookmark icon with three horizontal lines at the top, centered on a professional 16:9 aspect ratio background with a soft orange gradient and subtle diagonal line patterns.

CEO Chris Best acknowledged the failure and said the platform is investigating to strengthen defenses. While the company has not provided a specific user count, it indicated that only a subset of accounts was affected and that those users are being notified via email from the CEO’s address.

Why Contact Data Exposure Matters For Users

Even without passwords, exposed emails and phone numbers can open the door to targeted phishing and SMS phishing (smishing). Attackers commonly weaponize recognizable sender names to craft convincing messages that prompt victims to click malicious links or share one-time codes. The FBI’s Internet Crime Complaint Center has repeatedly warned that social engineering remains the most common path to fraud, and industry breach reports consistently show that contact data often seeds follow-on attacks.

Real-world incidents illustrate the risk. A past breach involving a major email marketing provider led to crypto-focused phishing campaigns against subscribers of high-profile newsletters. Likewise, the Twilio intrusion that leveraged SMS lures showed how phone numbers can be exploited to push MFA-bypass attempts. Substack’s leak presents similar exposure pathways for writers and readers who are accustomed to receiving legitimate messages from newsletters they trust.

What Substack Users Should Do To Stay Safe

Be extra cautious with any unexpected emails or texts referencing your Substack activity, subscriptions, or billing. Verify requests by navigating directly to the service rather than clicking links. If a message asks for credentials, recovery codes, or payment updates, assume it is suspicious until proven otherwise.

Turn on multifactor authentication for the email accounts tied to your Substack logins and consider app-based authenticators over SMS where possible. If your mobile number could be targeted, enable a carrier-level port-out lock and add a SIM PIN. Security professionals also recommend checking whether your email appears in known breach corpuses with services like Have I Been Pwned and rotating credentials anywhere you reused a password (even though Substack says passwords were not exposed).

The Substack logo, featuring an orange flag icon with three horizontal lines to the left of the word substack in dark gray, presented on a professional light gray background with a subtle dotted pattern, resized to a 16:9 aspect ratio.

What This Means For Publishers And Creators

For writers and publishers, the biggest risk is audience trust erosion if subscribers start receiving convincing spoofed messages. Creators should remind readers where official communications will come from, avoid sending urgent credential requests, and use domain authentication tools like SPF, DKIM, and DMARC to help mailbox providers flag impersonation attempts.

Segmenting contact lists and limiting the amount of metadata attached to subscriber records can reduce exposure in future incidents. Regularly exporting and encrypting backups, auditing access rights for contributors, and enforcing MFA across contributor accounts are pragmatic steps aligned with guidance from CISA and NIST.

Scope Still Unclear As Investigation Continues

Substack has not disclosed how many users were affected or the specific method the attacker used to gain access. The company says it identified the issue recently and began notifying impacted users within two days, a timeline that aligns with modern breach-response playbooks emphasizing speed and clarity.

While the company reports no evidence of active misuse, similar incidents often lead to opportunistic campaigns as attackers test exposed contact lists. Security researchers typically advise treating the period immediately after a disclosure as a prime time for spoofed alerts and password-reset scams that exploit heightened concern.

The Bigger Picture For Platforms Built On Trust

Publishing platforms sit on rich subscriber graphs that are highly valuable for social-engineering operations. Verizon’s annual Data Breach Investigations Report has long documented how attackers chain low-sensitivity data—like email addresses and phone numbers—into high-impact outcomes through credential harvesting and account recovery scams. That pattern puts a premium on rapid notification, transparent scope, and concrete hardening steps after any exposure.

Substack says it is conducting a full review to improve its systems. Users should expect more details as the investigation progresses, and in the meantime, treat any communication invoking Substack or specific newsletters with extra scrutiny. The safest response to a breach is a blend of provider transparency and user vigilance—both will be essential in the days ahead.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News