Substack is notifying some users that the email addresses and phone numbers linked to their accounts were exposed in a “security incident” last year. In an email to account holders, Substack CEO Chris Best said that a hacker had accessed internal data without authorization in October 2025, but that passwords, credit card numbers, and other financial information remain secure.
“On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata,” Best said in the email. “We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious.”
Substack says that it has since fixed the security problem, and is now conducting a full investigation alongside bolstering its systems “to prevent this type of issue from happening in the future.” The platform didn’t provide any details regarding what the security issue was, or how many users have been impacted — myself and several Verge colleagues who also use Substack did not receive the email. We have reached out to Substack for clarification.
“I’m incredibly sorry this happened,” Best said in the email to users. “We take our responsibility to protect your data and your privacy seriously, and we came up short here.”