"On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata,"
"This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed."
"We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious."
Substack confirmed an unauthorized third party accessed limited user data in October 2025, including email addresses, phone numbers, and internal account metadata. The company identified evidence of the breach on February 3, 2026, leaving roughly 100 days of potential undetected exposure. Substack stated that credit card numbers, passwords, and financial information were not accessed. CEO Chris Best apologized, said the vulnerable system has been fixed, and said a full investigation is underway. Substack advised users to exercise caution with suspicious emails and text messages. Cybersecurity outlets reported a threat actor posted leaked records online, with nearly 700,000 records reportedly exposed. Substack has not explained how attackers gained access or why detection took months.
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]