Accounts Impacted: Approximately 663,000 user accounts
Breach Occurrence Date: October 2025
Added to Breach Breakdown: February 2026
The Breach Breakdown
Substack, the popular subscription-based publishing platform used by writers, journalists, and independent creators, confirmed a data breach in February 2026. The breach itself, however, happened four months earlier, in October 2025. An unauthorized third party exploited a vulnerability in Substack’s systems to access user data, and the company did not detect it until February 3, 2026.
After discovering the breach, Substack CEO Chris Best sent notification emails to affected users. “I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission,” Best wrote. “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”
The disclosure came just days after a hacker posted a dataset on the cybercrime forum BreachForums, claiming to have scraped nearly 700,000 Substack user records. Substack has since fixed the vulnerability and launched a full investigation. However, the fact that the breach went undetected for roughly 100 days raises serious questions about the platform’s security monitoring.
Information Exposed
According to Substack and independent cybersecurity researchers, the leaked data includes:
- Email addresses
- Phone numbers
- Publication names and bios (publicly visible profile data)
- Profile pictures and user IDs
- Internal account metadata
Substack confirmed that passwords, credit card numbers, and other financial information were not accessed during this incident.
Why This Is Risky
Even without passwords or financial data being leaked, this breach creates real and lasting risks. Specifically, combining your email address and phone number with your public creator profile gives criminals everything they need to target you. As a result, you could face:
- Hyper-targeted phishing emails and texts: Attackers know your name, your publication, and your audience. Therefore, they can craft convincing fake emails posing as Substack support, payment processors, or even your own subscribers.
- SMS phishing (smishing): Because phone numbers were exposed, criminals can now reach you directly by text with urgent-sounding fraud attempts.
- Impersonation of creators: With bios, profile pictures, and publication names exposed, bad actors can convincingly impersonate writers and journalists to deceive their audiences.
- Credential stuffing on other platforms: Hackers test exposed email addresses against common passwords on banking, shopping, and social media sites. Furthermore, if you reuse passwords, those accounts are also at risk.
Moreover, the breach went undetected for roughly four months, meaning this data may have been circulating on the dark web long before Substack notified anyone.
What You Should Do Now
If you have, or have ever had, a Substack account as a reader, subscriber, or writer, your data may be affected. Therefore, act now and take these steps:
- Be on high alert for phishing emails and texts: Do not click links in unexpected messages claiming to be from Substack, payment processors, or subscribers. Instead, go directly to Substack’s website.
- Update passwords on linked accounts: Even though Substack passwords were not leaked, update passwords on any account that shares the same email address, especially banking, email, and social media.
- Turn on two-factor authentication (2FA): Add an extra layer of protection to your email and any platform tied to your Substack account.
- Watch for SMS scams: Your phone number was exposed. Be skeptical of unexpected texts referencing your account or requesting any action.
- Switch to a secure, opt-in email service: Consider moving to OptMsg to stop breach-related phishing and spam from ever reaching your inbox again.
How OptMsg Helps
Your email address and phone number were likely in the Substack breach. That means attackers can now reach you directly, by email and by text, armed with your name, your publication, and your audience details. However, OptMsg gives you the tools to fight back:
- You decide who can email you. OptMsg’s patent-pending opt-in router technology means only people you approve can reach your inbox, so even if criminals have your email address, they cannot flood you with phishing attempts.
- No password to steal. OptMsg does not rely on a password to protect your account. Therefore, when breaches leak credentials from other sites, attackers have nothing to exploit.
- We don’t collect your personal data to sell to advertisers. Unlike “free” inboxes that profit from your information, OptMsg charges a small fee instead of treating you as the product.
- OptMsg does not scan your emails to sell ads. In short, your inbox belongs to you, not to advertisers or AI training systems.
Why It Matters
The Substack breach did not just expose contact details. It exposed the trust at the heart of a platform built entirely on direct relationships between writers and their audiences. When creators’ emails, phone numbers, and public profiles end up on a cybercrime forum, every subscriber who trusts that relationship becomes a potential target.
Moreover, the most alarming part of this breach is not the data itself. It is the timeline. The unauthorized access happened in October 2025, and Substack did not detect it until February 2026. That is roughly 100 days where user data was potentially circulating with no warning to anyone.
The real issue, however, goes beyond Substack’s failure. As long as your primary email inbox is wide open to anyone who has your address, you remain exposed every time any platform you use gets breached. OptMsg was built to break that cycle entirely.
Your Inbox. Your Rules.
Take control of your inbox today. Download OptMsg on iOS, Android, or use it on the web.
Helpful Links
- TechCrunch: Substack Confirms Data Breach Affecting Email Addresses and Phone Numbers
- The Verge: Substack Data Breach: User Emails and Phone Numbers
- SecurityWeek: Substack Discloses Security Incident After Hacker Leaks Data
- OptMsg Security Solutions
Stay informed. Stay secure. OptMsg actively protects your email from data breaches and cyber threats. Our Breach Breakdown blog alerts you when companies expose personal information, so you can respond before criminals take advantage of it.
