Popular digital publishing platform Substack has confirmed a data breach after an “unauthorized third party” accessed user data in October, including email addresses, phone numbers, and other unspecified “internal metadata.”
The California-based company said more sensitive information — including credit card numbers, passwords, and financial data — was not affected.
In an email sent to users, Substack chief executive Chris Best said the company identified the issue in February and has since fixed the problem and launched an investigation.
“I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission,” Best said in the email. “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”
Substack did not disclose the specific technical issue that enabled access to its systems, nor the full scope of the data involved. The company also did not explain why the breach took approximately five months to detect, or whether it received any ransom demands.
The company said it has no evidence that user data is being misused but did not specify what technical measures or monitoring systems it uses to detect abuse. Substack advised users to exercise caution with emails and text messages but did not provide specific indicators of compromise.
Substack did not disclose how many users were affected by the breach.
According to the company’s website, Substack has more than 50 million active subscriptions, including 5 million paid subscriptions, a milestone it reached in March last year. In July 2025, Substack raised $100 million in Series C funding led by BOND and The Chernin Group (TCG), with participation from a16z, Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.
