Last updated 1 month ago
Substack, a technology company operating a publishing platform, experienced a data breach in October 2025 that was subsequently circulated more widely in February 2026. The incident exposed 663,121 account holder records containing email addresses and publicly visible profile information, including publication names and bios. A subset of records also included phone numbers.
The breach involved unauthorized access to account holder records, resulting in the exfiltration of email addresses, publication names, and user bios. The compromised data included both publicly accessible profile information and non-public phone numbers for a portion of affected users. The attack vector appears to have involved unauthorized access to Substack's systems, though specific technical details of the intrusion method were not disclosed.
No post-incident developments regarding regulatory actions, litigation, ransom payments, or remediation milestones were reported in the available information.
This breach demonstrates that even publicly accessible profile data, when combined with email addresses and phone numbers, creates significant privacy and security risks. The incident highlights the need for technology platforms to implement stronger access controls around user data repositories, particularly for data elements like phone numbers that should have higher protection than publicly visible profile information. The four-month gap between initial breach and wider circulation suggests improved detection and notification mechanisms could reduce secondary exploitation risks.
Sign in to join the discussion.
Company
Industry
Location
Discovered
Disclosed
Records Affected
Attack Vector