CodeStepByStep and Substack Account Data Leaked Online
CodeStepByStep and Substack both suffered breaches that exposed user account information and later saw the stolen data spread more widely online. CodeStepByStep, an online coding practice platform, was breached in November 2025, initially exposing 17,000 records before an additional dataset released the following month pushed the total to 103,000 records. The compromised information included names, usernames, and email addresses.
Substack was breached in October 2025, and the stolen data was circulated more broadly in February 2026, expanding the exposure of 663,000 account records. The leaked information included email addresses and publicly visible profile details such as publication names and bios, while a subset of records also contained phone numbers. Together, the incidents show how initially stolen account data can gain wider reach when datasets are later republished or redistributed.
Timeline
Feb 1, 2026
Stolen Substack dataset circulates more broadly
In February 2026, the dataset stolen from Substack was circulated more broadly, increasing the exposure of the compromised account information. The broader exposure involved the same breached account holder data.
Dec 1, 2025
Additional CodeStepByStep dataset is released online
After the initial November 2025 breach, exposed CodeStepByStep data was published online, and an additional dataset was released the following month. This brought the total number of exposed records to 103,000.
Nov 1, 2025
CodeStepByStep suffers data breach affecting 17,000 records
In November 2025, the online coding practice platform CodeStepByStep experienced a data breach that exposed 17,000 records. The compromised data included names, usernames, and email addresses.
Oct 1, 2025
Substack account data is breached
In October 2025, Substack experienced a data breach affecting 663,000 account records. The exposed data included email addresses and publicly visible profile information such as publication names and bios, with some records also containing phone numbers.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Substack Data Breach Exposes User Email Addresses and Phone Numbers
Substack confirmed an incident in which an **unauthorized third party** accessed limited user data, including **email addresses**, **phone numbers**, and other unspecified **internal metadata**. The company said the access occurred in **October 2025** and that **passwords, credit card numbers, and other financial information were not accessed**; CEO Chris Best stated Substack identified evidence of the issue in early February and has since **fixed the underlying problem** and opened an investigation. Public reporting indicates the breach may be connected to data posted on criminal forums: a threat actor allegedly leaked a database on **BreachForums** containing **697,313 records** and claimed the data was obtained via a “noisy” scraping method that was quickly patched. Substack has not disclosed the number of affected users or the precise technical root cause, and both reports note the company advised users to be cautious about **phishing** attempts leveraging the exposed contact details.
1 months ago
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
1 months ago
Multiple High-Profile Data Breaches at SoundCloud, Pornhub, and 700Credit
SoundCloud, Pornhub, and 700Credit have each confirmed significant data breaches impacting millions of users. SoundCloud reported unauthorized access to an ancillary service dashboard, affecting approximately 20% of its 140 million users—about 28 million people. The exposed data included email addresses and information already visible on public profiles, with no passwords or financial details compromised. The incident also caused temporary connectivity issues for some users, particularly those using VPNs, due to configuration changes made during the response. Pornhub notified select Premium subscribers that some user data was exposed following a breach at Mixpanel, a third-party analytics provider, but emphasized that sensitive information such as passwords, payment details, and government IDs were not affected. Pornhub had ceased using Mixpanel in 2021 and was informed of the breach by the vendor. 700Credit, a US-based provider of credit and identity verification services, suffered a third-party supply-chain attack that compromised the personal information of approximately 5.6 million individuals. The breach, which occurred between May and October 2025, involved unauthorized access to names, addresses, dates of birth, and Social Security numbers through a compromised API used by one of 700Credit's integration partners. 700Credit has since shut down the affected API, notified federal authorities, and is offering credit monitoring to victims. These incidents highlight the ongoing risks posed by third-party service providers and the importance of timely breach notification and response.
1 months ago