Substack has confirmed a data breach in an email to its users. The company stated that in October, an unauthorized third party accessed user data, including email addresses, phone numbers, and other unspecified internal metadata. However, Substack specified that more sensitive information, such as credit card numbers, passwords, and other financial data, was not affected.
In the email to users, Substack chief executive Chris Best explained that the company identified the issue in February that allowed the unauthorized access. Best said Substack has since fixed the problem and initiated an investigation. He wrote, “I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission. I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”
The exact nature of the system issue and the full scope of the accessed data remain unclear. It is also not known why it took the company five months to detect the breach, or if hackers contacted Substack demanding a ransom. Substack did not disclose how many users were affected.
The company said it has no evidence that the exposed data is being misused, but did not detail what technical means, such as system logs, it used to reach that conclusion. Nevertheless, Substack advised users to exercise caution with unexpected emails and texts.
On its website, Substack reports having over 50 million active subscriptions, including 5 million paid subscriptions, a milestone it reached last March. In July 2025, the company raised 100 million dollars in Series C funding led by BOND and The Chernin Group, with participation from Andreessen Horowitz, Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.