Newsletter platform Substack has admitted that an intruder swiped user contact details months before the company noticed, forcing it to warn writers and readers that their email addresses and other account metadata were accessed without permission.

The disclosure arrived in an email this week from Substack CEO Chris Best to affected users, who acknowledged the lapse in unusually no-frills language. "I'm reaching out to let you know about a security incident that resulted in the email address from your Substack account being shared without your permission," Best said in the message, seen by The Register . "This sucks. I'm sorry. We will work very hard to make sure it does not happen again."

According to the company, an "unauthorized third party" accessed limited user data during October 2025. The incident was not detected until February 3, when Substack reported that it had uncovered evidence that its systems had been compromised. The exposed information includes email addresses, phone numbers, and internal account metadata. Substack maintains that passwords, credit card numbers, and financial data were not touched.

[1]Betterment breach may expose 1.4M users after social engineering attack

[2]Italy claims cyberattacks 'of Russian origin' are pelting Winter Olympics

[3]AWS intruder achieved admin access in under 10 minutes thanks to AI assist, researchers say

[4]Nitrogen ransomware is so broken even the crooks can't unlock your files

The company says that it has since patched the vulnerability that allowed access and has launched a full internal investigation. It also claims there is currently no evidence that the stolen data is being actively misused, though it is urging users to remain alert for suspicious emails or phishing attempts.

Substack's confirmation comes after a threat actor posted a dataset they said had been stolen from the platform. A post on a cybercrime forum advertised nearly 700,000 alleged user records, including names, email addresses, phone numbers, user IDs, and profile images.

[5]

It's still unclear whether the trove of data circulating online is connected to the breach Substack has acknowledged. The company did not respond to questions from The Register asking how many users might be affected, what categories of data may have been exposed, or whether the October intrusion matches the information that later surfaced publicly.

[6]

The breach could prove particularly damaging for Substack, whose business depends on trust between writers and subscribers. Mailing lists sit at the core of that model, and if compromised, they could provide scammers with a ready-made catalogue of highly engaged readers. ®

Get our [7]Tech Resources



[1] https://www.theregister.com/2026/02/05/betterment_hack/

[2] https://www.theregister.com/2026/02/05/winter_olympics_russian_attacks/

[3] https://www.theregister.com/2026/02/04/aws_cloud_breakin_ai_assist/

[4] https://www.theregister.com/2026/02/04/nitrogen_ransomware_broken_decryptor/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYUhEXq8HkUz349Gi51vxwAAARI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYUhEXq8HkUz349Gi51vxwAAARI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://whitepapers.theregister.com/