Substack has notified users of a data breach that exposed email addresses and phone numbers following an incident that occurred in October 2025 but was discovered on February 3, 2026. The company says an unauthorized party gained access to limited account information, though passwords and payment details were not compromised.
According to Substack CEO Chris Best, the breach involved certain user contact data and internal metadata. The vulnerability responsible for the incident has since been addressed, and the company says a full investigation is underway. At present, there is no confirmed evidence that the stolen data has been actively misused.
Despite that, users are being advised to remain cautious. Substack recommends watching for suspicious emails or text messages that could attempt to exploit the leaked contact information through phishing or social engineering.
The company has not disclosed how many accounts were affected. However, a dataset published on a hacking forum reportedly contains roughly 697,000 records believed to be linked to Substack users.
Substack says it will continue to monitor the situation and provide updates as its investigation progresses.