Substack Breach Exposes 700,000 User Emails—Hackers Had Four Months to Use Them

If you've ever signed up for a Substack newsletter, your email address and phone number may now be in the hands of cybercriminals. And the attackers had four months to do whatever they wanted with it before anyone noticed.

On February 5, 2026, Substack CEO Chris Best confirmed what security researchers had been warning about for days: the popular newsletter platform suffered a data breach that exposed approximately 700,000 user records. The breach occurred in October 2025 but wasn't discovered until February 3, 2026—a four month window during which attackers had unfettered access to user data.

The stolen database has already been leaked on BreachForums, one of the internet's most notorious hacking forums.

What Data Was Stolen

The leaked database contains 697,313 user records with the following information:

• Email addresses: All affected accounts
• Phone numbers: For users who provided them
• Full names: Associated with accounts
• User IDs and Stripe IDs: Internal account identifiers
• Profile pictures and biographies: Public profile data
• Account creation dates: Historical metadata
• Social media handles: Linked accounts

The good news: CEO Chris Best confirmed that "credit card numbers and other financial details were not" taken, and passwords were not exposed. The bad news: email addresses combined with phone numbers are exactly what scammers need for sophisticated phishing and smishing attacks.

How the Breach Happened

On February 2, 2026, a threat actor using the alias "w1kkid" posted on BreachForums claiming to have scraped Substack's systems and extracted close to 700,000 user records. The hacker offered the database for sale, prompting security researchers to investigate.

One day later, Substack discovered evidence of the breach internally. In Best's words, the company found "a problem with our systems that allowed an unauthorized third party to access limited user data without permission."

The exact vulnerability hasn't been disclosed, but the four month detection gap suggests either inadequate monitoring systems or a particularly stealthy intrusion method. Either way, it gave attackers ample time to harvest data and potentially use it for targeted attacks before anyone was alerted.

The Four Month Problem

The timeline of this breach is particularly concerning:

• October 2025: Breach occurs, attackers gain access
• October 2025 – February 2026: Four months of undetected access
• February 2, 2026: Hacker posts database on BreachForums
• February 3, 2026: Substack discovers the breach
• February 5, 2026: CEO notifies users via email

Industry standards like the IBM Cost of a Data Breach Report consistently show that longer detection times lead to higher breach costs and more damage. Four months is an eternity in cybersecurity terms—enough time for attackers to launch targeted phishing campaigns, sell the data multiple times, or use it for identity verification attacks.

Why Newsletter Subscribers Are Valuable Targets

Substack isn't just any platform. Its users tend to be engaged readers who actively subscribe to content they care about. This makes them particularly valuable targets for several reasons:

High engagement rates: Substack readers actually open and read emails. Attackers know phishing emails sent to these addresses are more likely to be opened than spam sent to abandoned inboxes.

Predictable interests: The leaked data includes which newsletters users subscribe to. Attackers can craft highly targeted phishing emails that reference specific topics the victim cares about.

Payment likelihood: Substack users are accustomed to paying for subscriptions. Fake "payment failed" or "subscription renewal" emails are likely to get clicks.

Phone number bonus: With both email and phone number, attackers can run dual channel attacks—sending a phishing email followed by a fake "verification" text message, dramatically increasing success rates.

What to Do If You Use Substack

If you've ever created a Substack account or subscribed to any newsletter on the platform, assume your data was exposed. Here's how to protect yourself:

• Watch for targeted phishing: Be extremely suspicious of any email claiming to be from Substack, your favorite newsletter authors, or payment processors like Stripe. Attackers know you're a Substack user and will exploit that.
• Verify before clicking: If you receive an email about subscription issues or payment problems, don't click links. Go directly to Substack.com and log in manually to check your account status.
• Watch for smishing: With phone numbers exposed, expect text message scams. Never click links in unexpected SMS messages, even if they appear to come from legitimate services.
• Enable two factor authentication: If you haven't already, enable 2FA on your Substack account and any account using the same email address.
• Monitor for identity fraud: The combination of name, email, phone number, and social media handles can be used for identity verification attacks. Watch your accounts for unauthorized access attempts.

Substack's Response

To the company's credit, Substack moved relatively quickly once the breach was discovered. CEO Chris Best's notification email stated: "We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future."

Best also noted there is "no evidence" the stolen data has been "misused"—though given that the database is now publicly available on hacking forums, that assessment may age poorly.

The company has not announced any credit monitoring services or additional remediation steps for affected users.

The Bottom Line

700,000 people trusted Substack with their contact information. That trust was rewarded with a four month data exposure and their personal details ending up on criminal forums.

If you're a Substack user, the phishing attempts are coming—if they haven't started already. Stay vigilant, verify everything, and remember: if an email creates urgency around your account or payment, that's exactly when you should slow down and verify through official channels.