Overview
- CEO Chris Best told users the intrusion occurred in October 2025 and was identified on February 3, 2026, after which Substack began notifying some affected accounts.
- Exposed data includes email addresses, phone numbers, and internal metadata, while passwords, credit card numbers, and other financial information were not accessed.
- A threat actor posted a dataset on BreachForums claiming roughly 697,000 Substack records that is now circulating on other cybercrime channels.
- Third‑party reviews of sample records highlight internal fields such as admin or moderation flags and Stripe customer IDs, which suggest access beyond public scraping.
- Substack says it has patched the flaw and launched a full investigation, has not disclosed how many users are affected, and reports no evidence of misuse while urging vigilance against targeted phishing.