"On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata,"
"We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious."
"I'm incredibly sorry this happened,"
"We take our responsibility to protect your data and your privacy seriously, and we came up short here."
Substack notified some users that email addresses, phone numbers, and other internal metadata linked to accounts were exposed in a security incident dating to October 2025. A hacker accessed internal data without authorization while passwords, credit card numbers, and other financial information remained secure. Evidence of the issue was identified on February 3rd, and there is no evidence the exposed data is being misused. Users are urged to exercise caution with suspicious emails and text messages. The security problem has been fixed, a full investigation is underway, and systems are being bolstered to prevent recurrence. Some users did not receive notifications.
Read at The Verge
Unable to calculate read time
Collection
[
|
...
]