Newsletter platform Substack confirmed a data breach in an email to users, disclosing that an unauthorized third party accessed email addresses, phone numbers, and internal metadata in October.
The company specified that sensitive information remained secure during the incident. Credit card numbers, passwords, and other financial data were not compromised. Substack chief executive Chris Best detailed the timeline in the notification email. The vulnerability enabling the access was identified in February, several months after the October breach occurred. Best stated that the company has since resolved the issue and initiated an investigation into the security incident.
In the email, Best directly addressed affected users with a clear explanation of the exposure. He wrote, “I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission.” Best expressed regret over the event, adding, “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.” This communication marked Substack’s formal acknowledgment of the breach to its user base.
Several aspects of the breach remain undisclosed. The precise nature of the system issue that permitted unauthorized access has not been revealed. The full extent of the accessed data, beyond email addresses, phone numbers, and internal metadata, stays unspecified. Substack took five months to detect the intrusion, from October to February, though no explanation for the delay has been provided. It is also unknown whether the perpetrators contacted the company with demands, such as a ransom. TechCrunch sought additional details from Substack on these points but received no immediate response, with plans to update coverage upon reply.
Substack withheld the number of impacted users. The platform reported no evidence indicating misuse of the compromised data. However, it offered no specifics on monitoring methods, such as system logs, employed to reach this assessment. To mitigate risks, Substack advised users to approach unsolicited emails and text messages with caution, without providing targeted indicators for suspicious activity.
Substack operates a large-scale platform for newsletters. Its website lists more than 50 million active subscriptions as of last March, including 5 million paid subscriptions, representing a key operational milestone. In July 2025, the company secured $100 million through a Series C funding round. BOND and The Chernin Group led the investment, with participation from Andreessen Horowitz (a16z), Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.
