When you purchase through links on our site, we may earn an affiliate commission. This doesn’t affect our editorial independence.
Newsletter platform Substack has confirmed a security incident involving user account information. The Substack data breach occurred in October, when an unauthorized party accessed internal systems. According to the company, exposed data included user email addresses, phone numbers, and limited internal metadata.
More sensitive information remained untouched. Substack said payment details, passwords, and financial records were not affected. Even so, the disclosure has unsettled users who rely on the platform for private communications and paid subscriptions.
Read Also: DoorDash’s Platform Breached by Hackers, Users’ Data Stolen
Substack only discovered the breach in February, several months after the access occurred. The company said it has since closed the vulnerability and launched an internal investigation. However, it has not explained why the detection took so long.
Chief executive Chris Best addressed users directly in an email. He acknowledged that contact details from Substack accounts were shared without consent. He also apologized, saying the company failed to meet its responsibility to protect user data.
Despite the apology, major questions remain unanswered. Substack has not explained the technical flaw that led to the breach. It also has not clarified how much data was accessed or for how long systems remained exposed. The company declined to say whether attackers demanded a ransom.
Substack also refused to disclose how many users were affected. It said it has no evidence of misuse but offered little detail on how it monitors abuse. Instead, users were advised to remain cautious about unexpected emails or messages. That limited guidance has drawn criticism.
Substack Data Breach Puts Spotlight on Detection Delays
The Substack data breach arrives at a sensitive moment for the company. Substack positions itself as a creator-first platform built on trust. That trust depends on strong security practices and fast response times.
Read Also: Streaming Service, Plex, Urges Users to Change Passwords After Confirming Data Breach
Delayed disclosure often raises concerns about regulatory and user confidence. In recent years, data protection laws have increased pressure on platforms to act quickly. Long detection gaps can suggest weaknesses in monitoring rather than isolated mistakes.
The incident also highlights broader risks facing subscription platforms. Contact details alone can fuel phishing and social engineering attacks. For journalists, writers, and public figures, exposure carries added personal risk.
Substack’s scale amplifies those concerns. The company reports more than 50 million active subscriptions. It also counts 5 million paid subscribers, many of whom share sensitive professional work through private newsletters.
The platform continues to grow financially. In mid-2025, Substack raised $100 million in Series C funding. Investors backed its long-term vision, but security incidents can challenge that narrative.
For now, Substack says the issue is resolved. Similarly, the Substack data breach shows a familiar lesson. Rapid growth must be matched by equally strong investment in security, monitoring, and transparency. Users will watch closely for changes.
