In an email sent by Substack CEO, Chris Best to users Thursday morning, he confirmed that the subscription-based newsletter publishing platform, popular with writers and journalists, suffered a security breach in October 2025, that resulted in the exposure of user data, including email addresses, phone numbers, and other internal metadata.

According to the email seen by Techloy, the breach was discovered on February 3, after the company found evidence of system issues that allowed unauthorized third-party access.

“On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata,” Best says in the email. He added in the email however, that “importantly, credit card numbers, passwords, and financial information were not accessed,” claiming that there is currently no evidence the exposed data has been used for malicious activity.

“We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails you receive that may be suspicious,” the email says. While Substack has not disclosed how many users were affected by the breach, a blog suggested that as many as about 700,000 accounts may have been compromised.

Substack Rolls Out Beta TV App for Apple TV and Google TV
The app brings creator content to the living room and signals a broader shift in how Substack wants audiences to consume its creators’ work.
TechloyEmmanuel Umahi

The company says it has since fixed the vulnerability responsible for the incident and is taking additional steps to prevent a similar breach in the future.

This is not the first time users data on Substack have been exposed . In 2020, the company placed recipient addresses in the “CC” field instead of the “BCC” field while sending out a mandatory policy update, allowing users to see the email addresses of others included in the same message.

At the time the company said it was “so sorry this happened – and we are aware of the irony. This was a genuine mistake, we feel terrible about it, and we will do everything in our power to never repeat it.”

For a platform that hosts millions of independent writers and publishers, incidents like this highlight the growing importance of strong security practices, especially as creators increasingly rely on services like Substack to manage audiences, subscriptions, and sensitive user information.

“I'm sorry. We will work very hard to make sure it does not happen again,” Best added.

Substack adds live streaming capability for creators
A cool way for creators who want to diversify their offerings.
TechloyEmmanuel Oyedeji