Substack is scrambling to contain fallout from a security breach that exposed user email addresses and phone numbers for months before detection. The newsletter platform discovered the unauthorized access on February 3rd, but the intrusion actually occurred back in October 2025, according to CEO Chris Best's disclosure email. While Substack insists passwords and payment data remain secure, the months-long gap between breach and detection raises serious questions about the company's security monitoring capabilities at a time when content platforms face mounting pressure to protect creator and subscriber data.
Substack just handed phishing scammers a potential goldmine. The newsletter platform started notifying users this week that a hacker accessed internal systems without authorization back in October 2025, exposing email addresses, phone numbers, and other metadata. But here's the kicker - Substack only discovered the breach on February 3rd, meaning the compromised data sat exposed for four months before anyone noticed.
"On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata," CEO Chris Best wrote in an email to affected account holders. The admission reveals a troubling blind spot in Substack's security infrastructure at a critical moment for the company.
Substack has been positioning itself as the go-to platform for independent creators and journalists fleeing traditional media, but this breach exposes the kind of security gaps that could make writers think twice. The company now claims it's fixed the vulnerability and launched a full investigation, but it's offered zero technical details about what actually went wrong or how an intruder managed to lurk undetected for months.
Best tried to soften the blow by emphasizing what wasn't compromised. Passwords remain secure, credit card numbers are safe, and other financial information stayed locked down, according to the company. "We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious," Best added in the disclosure.
