Newsletter platform Substack is notifying users that attackers stole email addresses and phone numbers in October 2025, and the company discovered the incident on February 3 2026. A threat actor later posted a database online claiming 697,313 records were leaked.
KEY FACTS
- Incident Unauthorized access to limited user data
- When accessed October 2025
- Discovery February 3 2026
- Leaked records 697,313 records posted on BreachForums
- Excluded data No passwords or financial information accessed
In a breach notification email posted on Bluesky, Substack CEO Chris Best said the company identified evidence that an unauthorized third party accessed limited user data, including email addresses, phone numbers and internal metadata.
The data was accessed in October 2025. Credit card numbers, passwords and other financial information were not accessed.
On Monday a threat actor posted a database on the BreachForums hacking forum that contains 697,313 records of allegedly stolen data and included a note that the scraping method was noisy and patched fast.
The flaw exploited has been fixed. Users were warned to take extra caution with suspicious emails or text messages. The company has not provided a total count of affected users and did not explain how the attacker gained access.
WHY IT MATTERS
Contact information such as email addresses and phone numbers can be used for targeted phishing and spam, increasing risk for affected users. Users should be cautious with unexpected messages that request personal information or credentials.