Substack has begun notifying some users that their email addresses and phone numbers were exposed in a security incident last year.
The company said the issue involved unauthorized access to internal data, but stressed that passwords, credit card details, and financial information were not affected.
In an email sent to impacted account holders, Substack CEO Chris Best said a hacker accessed limited user information in October 2025. According to the message, Substack detected evidence of the breach on February 3, indicating that an outside party had gained unauthorized access to certain internal systems.
Best explained that the exposed data includes email addresses, phone numbers, and internal metadata linked to user accounts. He added that there is no evidence the information has been misused, but advised users to remain cautious of any suspicious emails or text messages they might receive.
Substack said it has since fixed the security issue and is conducting a full investigation, while also strengthening its systems to prevent similar incidents in the future. The company did not disclose how the breach occurred or how many users were affected, and not all Substack users appear to have received the notification email.
“I’m incredibly sorry this happened,” Best told users, acknowledging that the company fell short of its responsibility to protect user data and privacy. Substack said it will share more information if further details emerge from the investigation.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
