Substack Data Breach Exposes User Email Addresses and Phone Numbers
Substack confirmed an incident in which an unauthorized third party accessed limited user data, including email addresses, phone numbers, and other unspecified internal metadata. The company said the access occurred in October 2025 and that passwords, credit card numbers, and other financial information were not accessed; CEO Chris Best stated Substack identified evidence of the issue in early February and has since fixed the underlying problem and opened an investigation.
Public reporting indicates the breach may be connected to data posted on criminal forums: a threat actor allegedly leaked a database on BreachForums containing 697,313 records and claimed the data was obtained via a “noisy” scraping method that was quickly patched. Substack has not disclosed the number of affected users or the precise technical root cause, and both reports note the company advised users to be cautious about phishing attempts leveraging the exposed contact details.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Have I Been Pwned adds the Substack breach
Have I Been Pwned published an entry for the Substack breach, describing about 663,000 affected account records from the October 2025 incident and noting the data was more broadly circulated in February 2026. The listing said the exposed data included email addresses, public profile information, and phone numbers for a subset of users.
Substack notifies users and publicly confirms the data breach
On February 5, 2026, Substack confirmed the breach in notifications to users and public statements from CEO Chris Best. The company warned affected users to watch for phishing and suspicious emails or texts, and said it was taking steps to improve security controls and processes.
Substack identifies evidence of the breach and patches the issue
Substack said it discovered evidence of the incident on February 3, 2026, identified the underlying system issue, fixed or patched it, and began an internal investigation. The company later said it had no evidence of active misuse at that time.
Threat actor advertises alleged Substack dataset on BreachForums
On February 2, 2026, a threat actor posted or advertised an alleged Substack dataset on BreachForums, claiming to have obtained roughly 663,000 to nearly 700,000 user records. Reports said the data included contact details and other account-related fields.
Unauthorized access to Substack user data occurs
Substack said an unauthorized third party accessed limited user data in October 2025. The exposed information included email addresses, phone numbers, and internal account metadata, while passwords and financial or payment data were reportedly not accessed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Substack data breach: User records and internal metadata exposed | SC Media
scworld.com
Open sourceSubstack Breach: 662,752 User Records Leaked on Cybercrime Forum
hackread.com
Open sourceHacker claims theft of data from 700,000 Substack users; Company confirms breach
securityaffairs.com
Open sourceSubstack says intruder lifted emails, phone numbers • The Register
go.theregister.com
Open sourceSubstack confirms data breach affects users' email addresses and phone numbers | TechCrunch
techcrunch.com
Open sourceNewsletter platform Substack notifies users of data breach
bleepingcomputer.com
Open sourceSubstack data breach leaks users’ email addresses and phone numbers | CSO Online
csoonline.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CodeStepByStep and Substack Account Data Leaked Online
CodeStepByStep and Substack both suffered breaches that exposed user account information and later saw the stolen data spread more widely online. CodeStepByStep, an online coding practice platform, was breached in November 2025, initially exposing 17,000 records before an additional dataset released the following month pushed the total to **103,000** records. The compromised information included names, usernames, and email addresses. Substack was breached in October 2025, and the stolen data was circulated more broadly in February 2026, expanding the exposure of **663,000** account records. The leaked information included email addresses and publicly visible profile details such as publication names and bios, while a subset of records also contained phone numbers. Together, the incidents show how initially stolen account data can gain wider reach when datasets are later republished or redistributed.
Mar 27, 2026
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026
Flickr Discloses Potential Data Exposure via Third-Party Email Service Provider
Flickr notified users of a **potential data breach** after discovering a vulnerability in a **third-party email service provider** system that may have enabled unauthorized access to some member information. Flickr said it was alerted to the flaw on **February 5, 2026** and disabled access to the affected system within hours. The company did not name the provider or disclose how many users were impacted, but stated that exposed data may include **real names/usernames, email addresses, account types, IP addresses, general location data, and account activity**. Flickr stated that **passwords and payment card data were not compromised**, reducing immediate risk of direct account takeover but increasing risk of **phishing and targeted social engineering** using the exposed profile and activity details. Users were advised to review account settings for unexpected changes and to be cautious of messages referencing their Flickr accounts, with Flickr emphasizing it will not request passwords via email. Separately, Substack reported a different breach involving unauthorized access to limited user data and dark web leak claims; it is not connected to the Flickr incident.
Mar 21, 2026