Substack, the popular newsletter platform, has recently confirmed a data breach that has affected its users. In a communication to its subscribers, the company revealed that an "unauthorized third party" gained access to certain user data, including email addresses and phone numbers, during October.
Fortunately, more sensitive information, such as credit card details and passwords, remains secure and unaffected by this incident.
Chris Best, the CEO of Substack, stated in an email that the breach was identified in February, which allowed unauthorized access to the company's systems. He assured users that the issue has been resolved and that an investigation is currently underway.
In his message, Best expressed his regret, saying, "I'm reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission. I'm incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here."
Details surrounding the exact nature of the breach and the extent of the data accessed remain unclear. Furthermore, it has not been disclosed why it took five months for the breach to be detected, or if there were any ransom demands involved. TechCrunch has reached out for more information and will provide updates if available.
Substack has not specified the number of users impacted by this breach. While the company claims there is no evidence of misuse of the data, it has not detailed the technical measures in place to monitor for potential abuse. Users have been advised to exercise caution when interacting with unsolicited emails and messages.
On its platform, Substack boasts over 50 million active subscriptions, including 5 million paid subscribers--a significant milestone achieved in March. In July 2025, the company successfully raised $100 million in Series C funding led by BOND and The Chernin Group, with additional contributions from a16z and other notable investors.
