04.02.2026
2 min
400
]Newsletter platform Substack has confirmed a data breach that exposed user contact information and remained undetected since October 2025. The delayed discovery has raised concerns about the platform’s security practices and its ability to protect user data.
According to the company, attackers gained unauthorized access to Substack’s systems in the fall of 2025, but signs of the intrusion were only identified in early February 2026. Users were notified via email by CEO Chris Best, who acknowledged that the company failed to detect the breach in a timely manner.
Substack stated that passwords, payment details, and credit card information were not compromised. However, exposed email addresses, phone numbers, and internal metadata could still be leveraged for phishing or social engineering attacks. While the vulnerability has been fixed and an internal investigation launched, the company has not disclosed how many users were affected.
Newsletter platforms are increasingly attractive targets for attackers because they host large, engaged audiences and verified contact lists. Security specialists warn that long detection gaps significantly increase the potential impact of breaches, as attackers may exploit stolen data long before users are alerted.
Privacy advocates also note that even limited data exposure can have serious consequences, particularly when attackers exploit the trust users place in well-known platforms.
The Substack incident highlights ongoing challenges around breach detection, transparency, and accountability in digital services handling sensitive user data. With key details still undisclosed, creators and subscribers are left waiting for clarity as the investigation continues.
