The digital publishing platform Substack told some of its users that their data had been stolen in a security breach. Affected account holders had their email addresses and phone numbers taken during a hack in October 2025.
In an email published on Blue skySubstack CEO Christ Best said the company became aware of the breach on February 3, which involved an “unauthorized third party accessing limited user data without authorization.” Although internal metadata was also shared in the hack, Best said credit card numbers and other financial information was not. No password was obtained either.
In addition to apologizing to Substack users, the company’s CEO also said in the email that the security vulnerabilities have now been fixed. “We are conducting a thorough investigation and taking steps to improve our systems and processes to prevent this type of issue from occurring in the future,” he said. Best added that there is no evidence that the stolen data is being “misused,” but advised affected account holders to be wary of any suspicious emails or text messages they might receive.
The newsletter platform did not reveal how many accounts were hacked, but Computer beeping reported that a database allegedly containing 697,313 data records stolen from Substack had been leaked on hacking forum BreachForums.
This article was originally published on Engadget at https://www.engadget.com/cybersecurity/substack-ceo-informs-users-of-a-data-breach-151113809.html?src=rss
