Popular online self-publishing platform Substack has disclosed details of a cyber security incident impacting some of its users’ personal data.
“I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission,” Substack CEO Chris Best said in a notice to users circulated in the last couple of days and shared on X.
“I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”
According to Best, the user data was accessed in October 2025, with Substack only discovering evidence of the incident on 3 February. That data accessed included not only email addresses and phone numbers, but also “other internal metadata”.
Best said that “Importantly, credit card numbers, passwords, and financial information were not accessed”.
“We have fixed the problem with our system that allowed this to happen,” Best said.
“We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future.”
Best added that Substack had seen no evidence of this data being misused, saying: “This sucks. I’m sorry. We will work very hard to make sure it does not happen again.”
A few days earlier, however, a member of a popular hacking forum claimed to have a raft of Substack user data, including emails, phone numbers, names, user IDs, Stripe IDs, profile pictures, and bios. The hacker, who goes by the online name w1kkid, said they have 697,313 lines of data.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.