Substack data breach exposes emails and phone numbers

NEWNow you can listen to News articles!

If you read the newsletters to stay informed, here’s an update worth paying attention to. Substack, a popular platform where writers, journalists, and creators email updates directly to subscribers, has confirmed a data breach that exposed user data.

The company says the exposed information includes email addresses, phone numbers, and internal account metadata. More sensitive data, such as passwords, credit card numbers, and financial information, were not affected. That’s good news. Still, many users wonder how this happened and why it took months to detect it.

For clarity, CyberGuy does not use Substack to send its newsletters.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

ROBINHOOD TEXT SCAM WARNING: DO NOT CALL THIS NUMBER

Woman who seems to be stressed in front of her computer.

Substack confirmed a data breach that exposed users’ email addresses, phone numbers, and internal account metadata after unauthorized access in October. (Photo Illustration by Robin Utrecht/SOPA Images/LightRocket via Getty Images)

What we know so far about the Substack breach

According to Substack, the unauthorized access occurred in October but was not identified until February. That means user data may have been exposed for several months before the issue was discovered. In response to CyberGuy’s request for comment, Substack shared an email from CEO and co-founder Chris Best that was sent to affected users on Wednesday, February 4.

“I’m so sorry this happened,” Best wrote. “We take our responsibility to protect your data and privacy seriously, and here we fall short.” He went on to say that the company will “work very hard to make sure this doesn’t happen again.”

According to Best, Substack identified evidence of a system issue on February 3 that allowed an unauthorized third party to access limited user data in October. It confirmed that the data accessed included email addresses, phone numbers and internal metadata. It also said no passwords, credit card numbers or financial information were accessed.

What Substack says it’s doing now

Substack says it has fixed the system issue that allowed unauthorized access and launched a full investigation. The company also said it has no evidence that the exposed information is being misused. Still, he encouraged users to be especially careful with emails or text messages that seem suspicious. While the statement clarifies what data was exposed, it does not explain why the access went undetected for several months or what specific safeguards are now in place to prevent a similar incident. That gap remains a key concern.

Why exposed emails and phone numbers are still important

Email addresses and phone numbers are often the first pieces of information used in scams. Once attackers have verified contact details, they can send messages that appear personal, urgent, or familiar. These messages may refer to subscriptions, billing, or account changes to pressure people to click on links or share information. Even without passwords, this type of exposure can increase the risk of phishing and impersonation attempts. That is why awareness is important now.

MICROSOFT ‘IMPORTANT’ EMAIL IS A SCAM: HOW TO DETECT IT

Security experts warn that exposed email addresses and phone numbers can encourage phishing and phishing scams. (Photo by Annette Riedl/Picture Alliance via Getty Images)

Ways to stay safe after Substack breach

If you have a Substack account, now is a good time to adjust things.

1) Keep an eye out for specific messages

Be wary of emails or text messages that refer to subscriptions or payments for your Substack account. Scammers may use real details to appear convincing.

2) Avoid clicking on links under pressure

Urgent language is a common tactic. Go directly to the Substack website instead of using links in messages. Use a powerful antivirus to protect yourself from malicious links that install malware and can access your private information.

Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

3) Change your password anyway

Even if the passwords weren’t exposed, updating them adds a layer of protection, especially if you reuse the passwords elsewhere. Consider using a password manager, which securely stores and generates complex passwords, reducing the risk of password reuse.

Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

4) Limit data exposure

Consider using a data removal service to reduce where your email and phone number appear online. Fewer data points make scams harder to pull off. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.

5) Use two-factor authentication

Enable two-factor authentication (2FA) whenever possible to reduce the risk of account takeover.

SOUNDCLOUD DATA BREACH EXPOSES 29.8 MILLION USER ACCOUNTS

The company said no passwords or financial information was accessed, but the breach went undetected for months. (Photographer: Luke MacGregor/Bloomberg via Getty Images)

Kurt’s Key Takeaways

The Substack breach is a reminder that even creator-focused platforms face real security risks. While the company says sensitive data was not affected, unanswered questions remain about delays in detection and transparency. Email addresses and phone numbers are powerful tools in the wrong hands. Staying alert now can prevent bigger problems later. Trust is based on clarity and users are still waiting for it.

Have you changed the way you protect your email and phone number after recent data breaches, and what measures have made you feel more secure? Let us know by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE News APP

Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.

Breaking News

Adult ADHD stimulant prescriptions are surging, and doctors are raising concerns

Afghan Dad Who Fought Alongside U.S. Military Dies Hours Into ICE Custody

Susie Wiles Has Been Diagnosed With Early Stage Breast Cancer, Trump Says

Trump Throws A Fit Over Supreme Court

Global Energy Crisis Fears Rise As Iran Keeps Stranglehold On Shipping And Hits Dubai Airport

Israel Says It Killed Iran

Team USA players received game-used Olympic hockey jerseys for the World Baseball Classic final against Venezuela

Oregon star Dante Moore writes letter to governor advocating for access to mental health services

Former NHL star criticizes Rangers organization for hosting pride night

Alabama ‘preparing to play’ NCAA tournament without star guard Aden Holloway after felony drug arrest