A quiet vulnerability has surfaced within a popular digital platform, exposing the personal data of hundreds of thousands of users. The breach, impacting Substack, wasn't discovered immediately, leaving sensitive information vulnerable for months before action was taken.
The initial notification from Substack’s CEO, Chris Best, acknowledged a data breach involving email addresses, phone numbers, and internal metadata. However, the full extent of the compromise remained obscured, prompting independent investigation into the incident.
A threat actor on a notorious hacking forum, BreachForums, revealed a database containing 697,313 Substack records. This data included not only contact information, but also names, user IDs, Stripe IDs, profile pictures, and even user bios – a significantly more detailed picture than initially presented.
While the number of records doesn’t equate directly to unique users, the sheer volume is alarming. Each individual could have multiple data points exposed, offering a rich trove of information for malicious actors.
Crucially, the breach occurred in October 2025, yet wasn’t identified by Substack until February 3rd. This four-month window allowed unauthorized access to the data, amplifying the potential for misuse and harm.
The company claims to have patched the vulnerability that allowed the breach, and is conducting an investigation to prevent future incidents. However, the damage is already done, and users must now take proactive steps to protect themselves.
Unfortunately, once data is stolen, recovery is impossible. The compromised information is now circulating in the digital underworld, and users must brace for potential consequences.
Increased vigilance is paramount. Expect a surge in phishing attempts targeting Substack users, designed to exploit the stolen data. Be wary of unsolicited messages, even those appearing to originate from Substack itself.
Never click on links or download attachments from unknown senders. This simple precaution can prevent falling victim to sophisticated phishing scams. Exercise extreme caution with any unexpected communication.
Consider adopting email masking services like Apple’s “Hide My Email” or DuckDuckGo’s email protection. These tools generate disposable email addresses, shielding your primary address from exposure.
By using a “burner” email, you limit the damage in the event of a future breach. If a service is compromised, only the disposable address is affected, protecting your true identity and minimizing risk.
This incident serves as a stark reminder of the inherent risks associated with entrusting personal data to any digital service. Proactive security measures and a healthy dose of skepticism are essential in today’s interconnected world.
