Substack is scrambling to contain fallout from a security breach that exposed user email addresses and phone numbers for months before detection. The newsletter platform discovered the unauthorized access on February 3rd, but the intrusion actually occurred back in October 2025, according to CEO Chris Best's disclosure email. While Substack insists passwords and payment data remain secure, the months-long gap between breach and detection raises serious questions about the company's security monitoring capabilities at a time when content platforms face mounting pressure to protect creator and subscriber data.
Substack just handed phishing scammers a potential goldmine. The newsletter platform started notifying users this week that a hacker accessed internal systems without authorization back in October 2025, exposing email addresses, phone numbers, and other metadata. But here's the kicker - Substack only discovered the breach on February 3rd, meaning the compromised data sat exposed for four months before anyone noticed.
"On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata," CEO Chris Best wrote in an email to affected account holders. The admission reveals a troubling blind spot in Substack's security infrastructure at a critical moment for the company.
Substack has been positioning itself as the go-to platform for independent creators and journalists fleeing traditional media, but this breach exposes the kind of security gaps that could make writers think twice. The company now claims it's fixed the vulnerability and launched a full investigation, but it's offered zero technical details about what actually went wrong or how an intruder managed to lurk undetected for months.
Best tried to soften the blow by emphasizing what wasn't compromised. Passwords remain secure, credit card numbers are safe, and other financial information stayed locked down, according to the company. "We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious," Best added in the disclosure.
But that's cold comfort for users whose contact information is now potentially circulating in dark web marketplaces. Email addresses and phone numbers are the basic building blocks of sophisticated phishing campaigns and social engineering attacks. Hackers can use this data to craft convincing impersonation emails or SMS messages targeting Substack users, potentially tricking them into handing over passwords or payment details that weren't part of the original breach.
The scope of the breach remains murky. Substack hasn't disclosed how many users were affected, and the notification emails appear to have gone out selectively. Several reporters at The Verge who actively use Substack accounts confirmed they didn't receive breach notifications, suggesting either a targeted compromise or that Substack is still identifying affected users.
This incident lands at an awkward time for Substack, which has been fighting to maintain its position as the creator economy's newsletter darling. The platform faces mounting competition from Meta's newsletter initiatives, Twitter's revamped subscription features, and traditional email marketing tools adding creator-friendly features. A major security incident that took four months to detect doesn't exactly inspire confidence in creators who've built their entire businesses on the platform.
The four-month detection gap is perhaps the most damning detail in this entire saga. Modern security operations typically catch unauthorized access within hours or days through automated monitoring systems that flag unusual data queries or access patterns. That Substack apparently lacked the visibility to spot a breach for an entire third of a year suggests the company may have been operating with inadequate security logging or monitoring infrastructure.
"I'm incredibly sorry this happened," Best concluded in his email. "We take our responsibility to protect your data and your privacy seriously, and we came up short here." The company says it's now "bolstering its systems to prevent this type of issue from happening in the future," but hasn't provided specifics about what enhanced security measures it's implementing.
For affected users, the immediate risk isn't catastrophic - email addresses and phone numbers alone can't empty bank accounts. But this data becomes dangerous in the wrong hands when combined with social engineering tactics. Users should be especially wary of any emails or texts claiming to be from Substack asking them to verify account details, reset passwords, or click suspicious links. The real Substack will never ask for passwords via email.
Substack hasn't responded to requests for additional details about the breach's technical nature or total user impact. Until the company provides more transparency about what went wrong and how it plans to prevent future incidents, creators and subscribers are left wondering whether their newsletter platform takes security as seriously as it takes its 10% cut of subscription revenue.
The Substack breach underscores a harsh reality for SaaS platforms in the creator economy - security isn't just an IT problem, it's an existential business risk. When your entire value proposition depends on creators trusting you with their audience relationships, a four-month detection gap isn't just embarrassing, it's potentially business-threatening. Users should enable two-factor authentication if they haven't already, watch for phishing attempts, and consider whether they're comfortable building their business on a platform that took a third of a year to notice someone was rifling through user data. Substack needs to move fast with concrete security improvements and full transparency if it wants to keep creators from eyeing the exits.
