Substack notifies users of data breach affecting nearly 700,000 accounts
The newsletter platform Substack has begun notifying users of a data breach involving the personal information of nearly 700,000 accounts, confirming reports that surfaced on cybercrime forums earlier this week.
While the incident was officially acknowledged by the company on February 3, the unauthorized access reportedly occurred months earlier, in October 2025.
In an email sent to affected users, Substack CEO Chris Best stated that the company’s security team identified a vulnerability that had been exploited to scrape user records. The incident came to light after a threat actor on the illicit marketplace BreachForums published a dataset claiming to contain 697,313 user records.
According to the forum post, the data was obtained via a "noisy" scraping method that targeted the platform's API. The attacker noted that the method was identified and patched quickly by Substack engineering, limiting the scope of the leak relative to the platform's 35 million active subscriptions.
Extensive metadata exposed
While Substack emphasized that no passwords, credit card numbers, or financial information were accessed, the leaked database contains a significant amount of user metadata.
The compromised fields include full names, email addresses, phone numbers, and Stripe Customer IDs-identifiers used to link subscribers to payment processors. Additionally, the leak exposed social media handles, account biographies, and profile pictures, data points that security researchers warn could be used for targeted phishing campaigns.
"We have fixed the problem and put additional safeguards in place," Best wrote in the notification. The company did not immediately respond to requests for comment regarding the four-month delay between the initial scraping incident and the notification of users.
A trend of API exploitation
The incident highlights the growing trend of scraping attacks targeting API vulnerabilities. Unlike traditional breaches involving server penetration, these attacks abuse legitimate data request functions to harvest public and semi-private information in bulk.
Security analysts have noted that the exposure of biographical data and social connections raises the risk of social engineering, allowing threat actors to craft convincing impersonation emails. Substack is urging users to remain vigilant against unsolicited communications referencing their account details.
