Substack data breach exposed user emails, phone numbers in October incident
NEWYou can now listen to Fox News articles!
If you read the newsletters to stay informed, here is an update that deserves your attention. Substack, a popular platform where writers, journalists, and creators email updates directly to subscribers, has confirmed a data breach that exposed user data.
The company says the exposed information includes email addresses, phone numbers, and internal account metadata. More sensitive data, such as passwords, credit card numbers and financial information, was not affected. This is good news. Still, many users are wondering how this happened and why it took months to detect it.
For clarity, CyberGuy does not use Substack to send its newsletters.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive offers straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM bulletin.
ROBINHOOD TEXT SCAM WARNING: DO NOT CALL THIS NUMBER
Substack has confirmed a data breach that exposed users’ email addresses, phone numbers, and internal account metadata after unauthorized access in October. (Photo illustration by Robin Utrecht/SOPA Images/LightRocket via Getty Images)
What we know so far about the Substack breach
According to Substack, the unauthorized access took place in October but was not identified until February. This means that user data may have been exposed months before the problem was discovered. In response to CyberGuy’s request for comment, Substack shared an email from CEO and co-founder Chris Best that was sent to affected users on Wednesday, February 4.
“I am incredibly sorry that this happened,” Best wrote. “We take our responsibility to protect your data and privacy seriously, and we have failed here.” He added that the company would “work very hard to make sure this doesn’t happen again.”
According to Best, Substack identified evidence on February 3 of a system issue that allowed an unauthorized third party to access restricted user data in October. He confirmed that the data accessed included email addresses, phone numbers and internal metadata. It also said passwords, credit card numbers and financial information were not accessible.
What Substack says it does now
Substack says it has fixed the system issue that allowed unauthorized access and has launched a full investigation. The company also said it had no evidence that the exposed information had been misused. Still, it encourages users to be more careful with emails or text messages that seem suspicious. While the statement clarifies what data was exposed, it does not explain why access went undetected for several months or what specific safeguards are now in place to prevent a similar incident. This gap remains a major concern.
Why Exposed Emails and Phone Numbers Still Matter
Email addresses and phone numbers are often the first pieces of information used in scams. Once attackers verify contact details, they can send messages that seem personal, urgent, or familiar. These messages may refer to subscriptions, billing, or account changes to encourage people to click on links or share information. Even without a password, this type of exposure can increase the risk of phishing And identity theft attempts. This is why awareness is important now.
MICROSOFT ‘IMPORTANT MAIL’ EMAIL IS A SCAM: HOW TO SPOT IT
Security experts warn that exposed email addresses and phone numbers can fuel phishing and identity theft scams. (Photo by Annette Riedl/photo alliance via Getty Images)
Ways to Stay Safe After Substack Breach
If you have a Substack account, now is a good time to tighten things up.
1) Monitor targeted messages
Be careful with emails or text messages that refer to subscriptions or payments in your Substack account. Scammers may use real details to appear convincing.
2) Avoid clicking on links under pressure
Urgent language is a common tactic. Go directly to the Substack website instead of using links in posts. Use powerful antivirus to protect yourself from malicious links that install malware and potentially access your private information.
Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
3) Change your password anyway
Even if the passwords haven’t been exposed, updating them adds a layer of protection, especially if you reuse them elsewhere. Consider using a password manager, which securely stores and generates complex passwords, reducing the risk of password reuse.
Next, check to see if your email has been exposed in past breaches. Our #1 choice for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Discover the Best Expert-Rated Password Managers of 2026 at Cyberguy.com.
4) Limit data exposure
Consider using a data removal service to reduce where your email address and phone number appear online. Fewer data points make scams harder to pull off. These services do all the work for you by actively monitoring and systematically deleting your personal information across hundreds of websites.
Check out my top picks for data deletion services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free analysis to find out if your personal information is already available on the web: Cyberguy.com.
5) Use two-factor authentication
Enable two-factor authentication (2FA) wherever possible to reduce the risk of account hacking.
SOUNDCLOUD DATA BREACH EXPOSES 29.8 MILLION USER ACCOUNTS
The company said passwords and financial information were not accessed, but the breach went undetected for months. (Photographer: Luke MacGregor/Bloomberg via Getty Images)
Kurt’s Key Takeaways
The Substack breach is a reminder that even creator-focused platforms face real security risks. Although the company says sensitive data was not affected, questions remain unanswered regarding detection times and transparency. Email addresses and phone numbers are powerful tools in the wrong hands. Staying vigilant now can prevent more serious problems later. Trust is built on clarity and users always expect it.
Have you changed how you protect your email and phone number after recent data breaches, and what steps have made you feel more secure? Let us know by writing to us at Cyberguy.com
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive offers straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM bulletin.
Copyright 2026 CyberGuy.com. All rights reserved.
