Newsletter giant Substack has officially confirmed a security breach involving the unauthorized access of user data. In an email sent to its user base, the company disclosed that an external party gained access to sensitive account information, including email addresses, phone numbers, and various internal metadata, back in October.
Scope of the Incident
While the breach involved contact information, Substack reassured its users that critical financial and authentication data remains secure. The company explicitly stated that credit card numbers, passwords, and other highly sensitive financial records were not compromised during the incident.
Substack CEO Chris Best addressed the situation directly, acknowledging the failure in data protection. “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here,” Best stated in the correspondence.
Investigation and Timeline
Internal teams identified the system vulnerability in February, months after the initial unauthorized access occurred. While the specific nature of the technical failure remains undisclosed, Substack confirmed that the vulnerability has been patched and a formal investigation is currently underway.
Questions remain regarding the five-month delay in detecting the breach and whether the company was targeted by a ransom demand. Substack has not yet disclosed the exact number of users impacted by this security lapse.
Security Recommendations for Users
Although the company claims there is currently no evidence of data misuse, it lacks clarity regarding the specific logs or technical monitoring used to reach that conclusion. As a precautionary measure, Substack is urging all users to remain vigilant against phishing attempts, suspicious emails, or unsolicited text messages.
Platform Scale
The impact of this breach is significant given the platform’s reach. Substack currently hosts more than 50 million active subscriptions, a milestone that includes 5 million paid users, as detailed in its official growth report. The company continues to operate with substantial backing, having secured $100 million in Series C funding in July 2025 from investors including BOND, The Chernin Group, and Andreessen Horowitz.