CodeStepByStep and Substack Account Data Leaked Online
CodeStepByStep and Substack both suffered breaches that exposed user account information and later saw the stolen data spread more widely online. CodeStepByStep, an online coding practice platform, was breached in November 2025, initially exposing 17,000 records before an additional dataset released the following month pushed the total to 103,000 records. The compromised information included names, usernames, and email addresses.
Substack was breached in October 2025, and the stolen data was circulated more broadly in February 2026, expanding the exposure of 663,000 account records. The leaked information included email addresses and publicly visible profile details such as publication names and bios, while a subset of records also contained phone numbers. Together, the incidents show how initially stolen account data can gain wider reach when datasets are later republished or redistributed.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Stolen Substack dataset circulates more broadly
In February 2026, the dataset stolen from Substack was circulated more broadly, increasing the exposure of the compromised account information. The broader exposure involved the same breached account holder data.
Additional CodeStepByStep dataset is released online
After the initial November 2025 breach, exposed CodeStepByStep data was published online, and an additional dataset was released the following month. This brought the total number of exposed records to 103,000.
CodeStepByStep suffers data breach affecting 17,000 records
In November 2025, the online coding practice platform CodeStepByStep experienced a data breach that exposed 17,000 records. The compromised data included names, usernames, and email addresses.
Substack account data is breached
In October 2025, Substack experienced a data breach affecting 663,000 account records. The exposed data included email addresses and publicly visible profile information such as publication names and bios, with some records also containing phone numbers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Substack Data Breach Exposes User Email Addresses and Phone Numbers
Substack confirmed an incident in which an **unauthorized third party** accessed limited user data, including **email addresses**, **phone numbers**, and other unspecified **internal metadata**. The company said the access occurred in **October 2025** and that **passwords, credit card numbers, and other financial information were not accessed**; CEO Chris Best stated Substack identified evidence of the issue in early February and has since **fixed the underlying problem** and opened an investigation. Public reporting indicates the breach may be connected to data posted on criminal forums: a threat actor allegedly leaked a database on **BreachForums** containing **697,313 records** and claimed the data was obtained via a “noisy” scraping method that was quickly patched. Substack has not disclosed the number of affected users or the precise technical root cause, and both reports note the company advised users to be cautious about **phishing** attempts leveraging the exposed contact details.
Mar 21, 2026
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026
Thingiverse Exposed Subscriber Data in Breach Affecting Hundreds of Thousands of Users
Thingiverse, the 3D-model sharing platform, suffered a data exposure that placed user information in the hands of hackers, with one report describing a **36GB cache of data** taken from the service. Reporting indicates the leak involved subscriber records and other user-related information from the MakerBot-owned platform, raising concerns that exposed account data could be used for credential abuse, phishing, or broader identity-focused attacks. Subsequent coverage said the incident affected **228,000 subscribers**, underscoring the scale of the breach and the sensitivity of the compromised dataset. The exposure drew attention to the security risks facing online maker communities and subscription platforms, particularly where large stores of user account information are retained and insufficiently protected against unauthorized access or exfiltration.
Jun 8, 2026