
Substack Breach
Feb 9, 2026
664,249 rows
What happened in the Substack Breach?
DataBreach.com Team · February 8th 2026, 7:00 pm EST
In early February 2026, Substack confirmed a significant data breach affecting approximately 697,313 user records. While the incident was officially disclosed on February 6, 2026, the actual breach occurred months earlier, in October 2025.
The breach was not a traditional server penetration but a "noisy" scraping attack targeting Substack’s API. Threat actors exploited a vulnerability in the platform’s infrastructure to harvest a wealth of user metadata before security systems triggered and patched the flaw. Although Substack’s total user base exceeds 35 million, this specific leak was limited to a subset of nearly 700,000 accounts.
The Compromised Data
The leaked dataset is notable for its depth rather than its breadth. While it did not include passwords or credit card numbers, it exposed highly specific personal information, including:
- Contact Info: Email addresses and phone numbers.
- Identity: Full names, User IDs, and account biographies.
- Social Graph: Connected social media handles and profile pictures.
- Metadata: Account creation dates and Stripe Customer IDs (which link users to payment processors but do not allow transactions).
Implications and Risks
The four-month gap between the attack and its discovery-known as "dwell time"-has drawn criticism from security experts. Substack CEO Chris Best acknowledged the incident in an email to affected users, stating that while financial data remained secure, the exposed information creates a high risk for targeted phishing and doxing. With access to bios and social handles, attackers can craft convincing emails masquerading as creators or support staff.










