What You Need to Know about the Substack Data Breach

Substack is a popular subscription-based digital publishing platform that allows writers, journalists, podcasters, and content creators to send newsletters directly to their subscribers while monetizing their work. Founded in 2017, the San Francisco-based company has grown significantly, becoming a major alternative to traditional media and offering independent creators a way to build direct relationships with their audiences.

According to the company's latest data, Substack has approximately 35 million subscribers, including more than 5 million paid subscriptions. The platform supports over 50 million active subscriptions and serves approximately 17,000 writers who earn money from their publications. In July 2025, the company raised $100 million in Series C funding, demonstrating strong investor confidence in its business model.

On February 5, 2026, Substack began notifying users of a significant data breach that occurred four months earlier. In an email signed by CEO Chris Best, the company revealed that an unauthorized third party had exploited a weakness in its systems to gain access to user data in October 2025. The breach exposed email addresses, phone numbers, and other internal metadata belonging to Substack account holders.

While Substack has not officially disclosed the exact number of affected users, a threat actor leaked a database on the BreachForums hacking forum claiming to have obtained approximately 697,313 Substack user records. The leaked data reportedly includes names, email addresses, phone numbers, user IDs, Stripe IDs (used by creators for payments), profile pictures, biographies, account creation dates, and social media handles.

Best emphasized that passwords, credit card numbers, and financial information were not accessed. The breach only affected users with Substack accounts; subscribers who receive newsletters via email without creating accounts should not be impacted.

When Was the Substack Data Breach?

The unauthorized access to Substack's systems occurred in October 2025. However, Substack did not discover evidence of the breach until February 3, 2026, meaning the intrusion went undetected for approximately four months. This extended window gave the threat actor ample time to exfiltrate user data and potentially explore additional vulnerabilities.

The four-month delay raises serious questions about Substack's security monitoring capabilities. According to the hacker's description, the attack was "noisy," suggesting it may have generated system logs that went unnoticed. Cybersecurity experts note that modern intrusion detection systems should identify unusual data access patterns, particularly when large amounts of user data are being scraped from databases.

Interestingly, the threat actor leaked the stolen database on BreachForums on February 2, 2026, one day before Substack discovered the breach. This timeline suggests the hacker's public posting may have alerted Substack to the problem, though the company has not clarified this point.

By the time Substack sent breach notification emails on February 5, 2026, the company stated it had resolved the vulnerability and implemented safeguards to prevent similar incidents.

How to Check If Your Data Was Breached

If you have a Substack account, you should have received an email notification if your information was exposed. However, if you have not received a notification, there are several ways to verify your status:

• Visit Have I Been Pwned (haveibeenpwned.com) to search your email address and see if it appeared in the Substack breach. The service shows that 663,000 account records were exposed.
• Monitor your email for an unusual increase in phishing attempts or spam messages. Since the breach exposed email addresses, you may notice a surge in suspicious emails.
• Check your phone for an increase in suspicious text messages or calls. The exposure of phone numbers puts users at heightened risk for smishing attacks (SMS phishing).
• If you subscribe to newsletters directly via email without a Substack account, you are likely not affected. The breach only impacted users who created accounts with login credentials.

What to Do If Your Data Was Breached

If you received notification from Substack or suspect you may have been affected, take immediate action. While passwords and financial information were not compromised, the exposure of your email address and phone number creates significant risks requiring your attention.

Be extremely vigilant for phishing attempts via email or text message. Criminals often capitalize on breaches by launching targeted campaigns. You may receive messages claiming there is an issue with your account or a payment problem. Always verify message authenticity by navigating directly to Substack's website rather than clicking links in emails or texts.

If you signed up before 2023 and created a password, consider changing it as a precaution. While Substack stated passwords were not accessed, changing your password eliminates any residual risk. If you use the same password on other sites, change those immediately as well.

Enable two-factor authentication (2FA) on your Substack account if you haven't already. Substack offers optional multi-factor authentication requiring a one-time code from an authentication app. This significantly strengthens your account security.

Protect against SIM swapping attacks by contacting your mobile carrier and requesting they add a PIN or password required before account changes. This prevents criminals from hijacking your phone number to bypass two-factor authentication on your other accounts.

If you're a Substack creator receiving payments through Stripe, monitor your Stripe account closely for unusual activity. Contact Stripe directly if you notice suspicious transactions or unauthorized changes to payment settings.

Are There Any Lawsuits Because of the Data Breach?

As of February 10, 2026, at least one national class action law firm, Lynch Carpenter LLP, has publicly announced it is investigating potential claims against Substack related to the October 2025 data breach. The firm stated that over 700,000 individuals were impacted and that affected users may be entitled to compensation.

Lynch Carpenter specializes in data privacy matters and has represented millions of clients in data breach litigation. Their investigation suggests formal class action lawsuits may be filed soon, though no lawsuits have been officially filed as of mid-February 2026.

Class action lawsuits following data breaches typically allege negligence in implementing adequate cybersecurity measures. In Substack's case, potential claims could focus on the four-month delay between the breach and its discovery, arguing that inadequate monitoring allowed unauthorized access to go undetected for an unreasonable period.

If lawsuits are filed and successful, affected users could potentially recover compensation for time spent monitoring accounts, costs for credit monitoring services, and damages for increased risk of identity theft. Users interested in participating should monitor announcements from law firms investigating the incident.

Can My Substack Information Be Used for Identity Theft?

Yes. While the breach did not expose Social Security numbers, credit cards, or passwords, the combination of data that was compromised can still be used for identity theft and fraud. The exposed information; email addresses, phone numbers, names, profile pictures, and user IDs, provides criminals with valuable tools for targeted attacks.

Email addresses and phone numbers are particularly valuable for phishing and smishing campaigns. Armed with your contact information and knowing you have a Substack account, criminals can craft highly convincing fraudulent messages claiming there's a problem with your account or urgent security update. The goal is tricking you into clicking malicious links or providing sensitive information.

Your phone number can be used for SIM swapping attacks, where criminals contact your mobile carrier, impersonate you, and convince the carrier to transfer your number to a SIM card they control. Once they control your phone number, they can intercept text-based two-factor authentication codes, potentially accessing your email, banking, and social media accounts.

For Substack creators whose Stripe IDs were reportedly included in the leaked data, there are additional concerns. While Stripe IDs alone may not provide direct access to payment accounts, they could be used in combination with other information for social engineering attacks. Creators should be especially vigilant and ensure strong security measures on their Stripe accounts.

The exposed profile information, including biographies and social media handles, enables criminals to create highly personalized attacks. They can research victims' interests and online presence to craft convincing impersonation attempts, potentially creating fake profiles using your stolen information to scam your subscribers or professional contacts.

What Can You Do to Protect Yourself Online?

Data breaches have become an unfortunate reality of the digital age. However, you can take proactive steps to protect your personal information and reduce your risk:

• Use unique, strong passwords for every online account. Each should be at least 12 to 15 characters long and include uppercase and lowercase letters, numbers, and special characters. Never reuse passwords. Consider using a password manager to generate and securely store complex passwords.
• Enable two-factor authentication (2FA) wherever possible, particularly on accounts with sensitive information. Choose app-based authentication or hardware security keys over SMS-based codes, as text messages can be intercepted through SIM swapping.
• Be extremely cautious with email and text messages, especially those creating urgency or requesting you click links or provide personal information. Verify legitimacy by contacting the company directly through official channels.
• Protect your phone number from SIM swapping by contacting your carrier and requesting they add a PIN or password required before account changes. This prevents criminals from hijacking your number even if they have other personal information.
• Regularly review your online accounts and minimize personal information on public profiles. Consider whether you truly need to share your phone number or other details on every platform.
• Monitor your accounts regularly for suspicious activity. Set up transaction alerts on banking apps, review credit card statements carefully, and check credit reports annually..
• Be mindful of information you share on social media. Details like your hometown or pet names are commonly used in security questions and can help criminals access your accounts.
• Keep devices and software updated with the latest security patches. Enable automatic updates to ensure you receive important security fixes immediately.
• Use email aliases or separate email addresses for different account types when possible. If one email is exposed in a breach, your other accounts remain isolated and protected.

By implementing these security practices and remaining vigilant, you can significantly reduce your risk of falling victim to the types of fraud and identity theft that often follow data breaches like the Substack incident.