Substack has confirmed a security incident that exposed users’ email addresses, phone numbers, and certain internal metadata, prompting fresh concerns about targeted phishing and account abuse. The company said passwords, payment card data, and other financial information were not accessed, and it has contained the issue while an investigation continues.
While the platform did not disclose how many users were affected, it notified customers and urged caution with unsolicited emails and texts. The message from leadership included an apology and an acknowledgment that the company fell short of its responsibility to protect user data.
What Substack Says Happened in the Recent Security Breach
The company reported that an unauthorized third party accessed its systems and obtained contact information tied to user accounts. Substack said it has fixed the underlying issue and is conducting a forensic review to understand the intrusion and its scope. Officials also said there is no current evidence of misuse, a standard early assessment in incident response but not a guarantee that abuse will not emerge later.
Key technical details remain unclear. Substack has not publicly described the attack vector, the duration of access, or the telemetry used to validate that stolen information has not been exploited. In modern breach postmortems, organizations often detail log retention, endpoint detection coverage, and third-party involvement—clarity that helps users assess risk and regulators evaluate compliance.
Why Emails and Phone Numbers Matter for Targeted Attacks
On their own, email addresses and phone numbers enable convincing phishing and smishing campaigns. Attackers frequently impersonate trusted brands to harvest credentials or push victims to approve fraudulent logins. The Verizon Data Breach Investigations Report has repeatedly found the human element—phishing, social engineering, and error—drives the majority of breaches, with recent editions attributing roughly 68% of incidents to human factors.
Phone numbers also raise the risk of SIM-swapping and account recovery abuse. If a service relies on SMS for two-step verification or password resets, a determined attacker who controls the victim’s number can sometimes bypass protections. NIST’s digital identity guidance cautions that SMS-based codes are more vulnerable than app-based authenticators or hardware security keys.
“Internal metadata” can carry additional sensitivity. Even if it excludes financials, metadata may reveal account relationships, creator-subscriber ties, or communication preferences—useful signals for spear-phishing. For journalists, public figures, and newsletter writers, those signals can also fuel harassment or doxxing attempts.
Scale and exposure context for Substack user data risk
Substack says it serves more than 50 million active subscriptions, including 5 million paid subscriptions. The company has attracted major investors and a large creator economy footprint, which makes its user data a valuable target. Even if only a fraction of accounts were involved, a trove of verified emails and numbers can meaningfully increase the hit rate of phishing campaigns.
Recent history shows how contact data can be weaponized. After well-known communications providers and marketing platforms suffered breaches, threat actors used stolen contact lists to send highly tailored phishing messages that led to broader compromises. Security agencies, including CISA and the FBI, routinely warn that attackers pivot from one data leak to launch the next wave of social engineering.
What Users Should Do Now to Reduce Phishing and Fraud Risk
Be skeptical of emails and texts referencing your newsletter subscriptions, billing changes, or security alerts. Verify messages through known, official channels and avoid clicking embedded links. If an action seems urgent, navigate directly to the service instead of responding to a prompt.
Upgrade account protection anywhere you rely on your phone number for logins or resets. Prefer an authenticator app, passkeys, or hardware security keys over SMS codes. Set or update a carrier PIN to reduce SIM-swap risk, and monitor for unexpected password-reset or one-time-code prompts.
Consider minimizing where your phone number is stored when it is optional, and use unique email aliases to limit cross-service correlation. If you receive a message claiming to be from Substack about this incident, validate it via the company’s official support portal or recent in-app notices rather than replying directly.
If you suspect your information is being misused, file a report with the FBI Internet Crime Complaint Center and your local consumer protection authority. These reports help investigators track campaigns and can support recovery efforts.
What to watch from Substack as its investigation progresses
Users and creators will be looking for a transparent post-incident report that explains root cause, dwell time, and the scope of affected data, along with concrete remediation steps. Best practice is to outline logging improvements, access controls, third-party audits, and any expansion of bug bounty or red-team programs.
Regulators in multiple jurisdictions—state attorneys general in the U.S., as well as European data protection authorities under GDPR—expect timely, detailed notifications and clear guidance for consumers. As criminal groups continue to weaponize contact data, the difference between “no evidence of misuse” and “no misuse” often comes down to visibility. Substack’s next disclosures will indicate how much visibility it has—and how quickly it can convert lessons from this breach into lasting defenses.
