Substack Data Breach Exposes User Email Addresses and Phone Numbers
Substack confirmed an incident in which an unauthorized third party accessed limited user data, including email addresses, phone numbers, and other unspecified internal metadata. The company said the access occurred in October 2025 and that passwords, credit card numbers, and other financial information were not accessed; CEO Chris Best stated Substack identified evidence of the issue in early February and has since fixed the underlying problem and opened an investigation.
Public reporting indicates the breach may be connected to data posted on criminal forums: a threat actor allegedly leaked a database on BreachForums containing 697,313 records and claimed the data was obtained via a “noisy” scraping method that was quickly patched. Substack has not disclosed the number of affected users or the precise technical root cause, and both reports note the company advised users to be cautious about phishing attempts leveraging the exposed contact details.
Timeline
Mar 18, 2026
Have I Been Pwned adds the Substack breach
Have I Been Pwned published an entry for the Substack breach, describing about 663,000 affected account records from the October 2025 incident and noting the data was more broadly circulated in February 2026. The listing said the exposed data included email addresses, public profile information, and phone numbers for a subset of users.
Feb 5, 2026
Substack notifies users and publicly confirms the data breach
On February 5, 2026, Substack confirmed the breach in notifications to users and public statements from CEO Chris Best. The company warned affected users to watch for phishing and suspicious emails or texts, and said it was taking steps to improve security controls and processes.
Feb 3, 2026
Substack identifies evidence of the breach and patches the issue
Substack said it discovered evidence of the incident on February 3, 2026, identified the underlying system issue, fixed or patched it, and began an internal investigation. The company later said it had no evidence of active misuse at that time.
Feb 2, 2026
Threat actor advertises alleged Substack dataset on BreachForums
On February 2, 2026, a threat actor posted or advertised an alleged Substack dataset on BreachForums, claiming to have obtained roughly 663,000 to nearly 700,000 user records. Reports said the data included contact details and other account-related fields.
Oct 1, 2025
Unauthorized access to Substack user data occurs
Substack said an unauthorized third party accessed limited user data in October 2025. The exposed information included email addresses, phone numbers, and internal account metadata, while passwords and financial or payment data were reportedly not accessed.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
2 more from sources like bleeping computer and cso online
Related Stories
CodeStepByStep and Substack Account Data Leaked Online
CodeStepByStep and Substack both suffered breaches that exposed user account information and later saw the stolen data spread more widely online. CodeStepByStep, an online coding practice platform, was breached in November 2025, initially exposing 17,000 records before an additional dataset released the following month pushed the total to **103,000** records. The compromised information included names, usernames, and email addresses. Substack was breached in October 2025, and the stolen data was circulated more broadly in February 2026, expanding the exposure of **663,000** account records. The leaked information included email addresses and publicly visible profile details such as publication names and bios, while a subset of records also contained phone numbers. Together, the incidents show how initially stolen account data can gain wider reach when datasets are later republished or redistributed.
1 months ago
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
1 months ago
Flickr Discloses Potential Data Exposure via Third-Party Email Service Provider
Flickr notified users of a **potential data breach** after discovering a vulnerability in a **third-party email service provider** system that may have enabled unauthorized access to some member information. Flickr said it was alerted to the flaw on **February 5, 2026** and disabled access to the affected system within hours. The company did not name the provider or disclose how many users were impacted, but stated that exposed data may include **real names/usernames, email addresses, account types, IP addresses, general location data, and account activity**. Flickr stated that **passwords and payment card data were not compromised**, reducing immediate risk of direct account takeover but increasing risk of **phishing and targeted social engineering** using the exposed profile and activity details. Users were advised to review account settings for unexpected changes and to be cautious of messages referencing their Flickr accounts, with Flickr emphasizing it will not request passwords via email. Separately, Substack reported a different breach involving unauthorized access to limited user data and dark web leak claims; it is not connected to the Flickr incident.
1 months ago