Data Leak – Substack Confirms Security Incident

BLOG FEBRUARY 27, 2026 Threat Intelligence DATA LEAK – SUBSTACK CONFIRMS SECURITY INCIDENT IN THIS ARTICLE Executive Summary Victim Overview About the Data Breach What Happened? Confirmation from CEO of Substack Leaked Data Samples Key Recommendations Immediate Actions Detection Improvements Structural Controls Overall Assessment Executive Summary Substack, a subscription-based publishing platform, suffered a data breach that occurred in October 2025 and was discovered on February 3, 2026, during which an unauthorized party accessed and later leaked user account data affecting overall 697,298 users; the exposed information included email addresses, phone numbers, usernames, profile names, bios, and internal account metadata, and the dataset was subsequently posted on cybercrime forums, increasing risks of phishing, spam, and social engineering, while the company confirmed that no passwords, credit card details, or financial information were compromised and reported that it fixed the vulnerability, launched an investigation, and strengthened security controls following disclosure. Victim Overview Organization: Substack Sector: Digital Media / Publishing Technology / Creator Economy Location: San Francisco, California, United States Operational Significance: Provides a platform for writers and publishers to create and distribute email newsletters Enables monetization through paid subscriptions and integrated payment processing Hosts hundreds of thousands of creators with a global subscriber base Supports direct audience engagement without reliance on traditional media channels Plays a significant role in the independent publishing ecosystem and creator economy About the Data Breach Substack suffered a security breach that initially occurred in October 2025, but the company only discovered it on February 3, 2026. That’s a four-month detection gap — and in cybersecurity, four months is an eternity. What Happened? An unauthorized third party accessed limited user account data. The exposed information included: Email addresses Phone numbers Usernames Profile names Bios Internal account metadata On February 7, 2026, a threat actor posted the leaked Substack data on darknet forums, referencing a ZIP archive containing the full dataset. The below screenshot circulating on Telegram shows users sharing a file named “substack.csv,” described as part of a series of leaks, along with references to hundreds of thousands of rows containing fields such as names, emails, phone numbers, usernames, and account metadata, indicating that the leaked Substack dataset was being distributed and discussed within messaging channels. Confirmation from CEO of Substack People reported on Twitter that Chris Best confirmed the incident publicly. Key statements from Substack leadership: Unauthorized access occurred in October 2025 Discovered on February 3, 2026 No passwords were accessed No credit card or financial information was exposed Substack stated it has: Fixed the vulnerability Launched an internal investigation Strengthened security controls Found no confirmed evidence of data misuse (as of disclosure) Leaked Data Samples The below screenshot contains the samples of the User’s personal information. The below screenshot refers to a data breach involving Substack data breach that occurred in October 2025 and became widely known in February 2026, affecting 663,000 account holders. Exposed data includes email addresses, publicly available profile information, and in some cases, phone numbers. Key Recommendations Immediate Actions Notify affected users with phishing awareness guidance Monitor for secondary dataset redistribution Review historical access logs for additional anomalies Detection Improvements Implement continuous monitoring for abnormal database queries and bulk exports Establish automated alerts for large dataset extraction events Reduce mean time to detect (MTTD) through enhanced logging visibility Structural Controls Enforce strict least-privilege access controls Periodically audit internal account metadata access Strengthen anomaly detection around administrative activity Conduct regular third-party security assessments Overall Assessment The Substack incident represents a Moderate-severity SaaS data exposure involving large-scale contact information but no credential or financial compromise. The primary risk lies in downstream phishing and social engineering campaigns rather than direct account takeover. Over 663,000 Accounts Impacted: Approximately 663,000–697,000 Substack user accounts were affected by the breach. User Contact & Profile Data Exposed: The leaked information included email addresses, phone numbers, usernames, bios, and other profile-related details. No Financial or Password Data Compromised: Passwords, credit card numbers, and financial information were not accessed. Data Shared on Cybercrime Forums: The exposed dataset was posted on underground forums, increasing the likelihood of misuse. Elevated Risk of Phishing & Social Engineering: Affected users may face phishing emails, smishing attacks, spam, and targeted social engineering attempts.