What happened
Substack confirmed an October 2025 breach on February 3, 2026, notifying affected users two days later via email from CEO Chris Best. An unauthorized party accessed email addresses, phone numbers, and internal account metadata for approximately 697,313 users. Passwords, credit cards, and financial data were not compromised.
The company patched the vulnerability and launched an investigation. No evidence of active misuse exists, but Substack warned users to watch for phishing attempts.
The detection problem
The breach went undetected for four months - a timeline that matters for enterprise leaders evaluating SaaS vendors. The disclosure came only after a threat actor posted the dataset on BreachForums, suggesting a reactive rather than proactive response.
Substack didn't respond to questions about total affected users, data categories exposed, or whether the leaked dataset matches the acknowledged breach. The hacker's dump includes fields Substack hasn't confirmed: user IDs, Stripe IDs, bios, and social handles.
Why this matters
Substack operates 50 million active subscriptions, including 5 million paid. The platform raised $100 million in July 2025 led by BOND and Chernin Group, with Andreessen Horowitz participating.
The breach hits Substack's core value proposition: trusted connections between writers and subscribers. Compromised mailing lists create ready-made targets for scammers - particularly valuable given high engagement rates.
For enterprise security teams, the incident surfaces familiar questions about third-party monitoring. Four months between breach and detection suggests log analysis gaps. The disclosure timeline - public leak before user notification - indicates detection came from external sources, not internal controls.
What to watch
Substack hasn't clarified the vulnerability type or access method. Users should reset passwords (despite Substack's claims they weren't exposed), enable two-factor authentication where available, and monitor for targeted phishing using compromised contact details.
The real test: whether Substack's investigation reveals the breach scope matches or exceeds the leaked dataset. History suggests initial disclosures often expand.