Substack, a popular newsletter platform, has officially confirmed a data breach in a communication to its users. The company disclosed that, in October, an “unauthorized third party” gained access to user data, including email addresses, phone numbers, and various unspecified “internal metadata.”
Substack clarified that more sensitive information, such as credit card numbers, passwords, and other financial details, remained unaffected by the breach.
In a message addressed to users, Substack’s CEO, Chris Best, indicated that the issue was identified in February, which enabled unauthorized access to the company’s systems. Best assured users that Substack has rectified the vulnerability and initiated an investigation into the incident.
“I’m reaching out to inform you of a security incident that resulted in your Substack account’s email address and phone number being shared without your consent,” Best stated in his communication. “I sincerely apologize for this occurrence. We take our duty to safeguard your data and your privacy very seriously, and we recognize that we did not meet that responsibility on this occasion.”
Currently, the specifics of the system vulnerability and the full extent of the accessed data remain unclear. Additionally, it is not known why it took the company five months to detect the breach or whether hackers contacted Substack for ransom. TechCrunch has reached out to the company for further information and will update the report upon receipt of a response.
Substack has not disclosed the number of affected users. The company states that there is no evidence of misuse of user data but has not specified the technical measures, such as logging practices, employed to detect potential abuses. Nevertheless, the company advises users to exercise caution with unsolicited emails and texts that lack proper indicators or instructions.
On its official website, Substack mentions that it boasts over 50 million active subscriptions, inclusive of 5 million paid subscriptions, a milestone achieved in March. In July 2025, the company successfully raised $100 million in Series C funding, spearheaded by BOND and The Chernin Group (TCG), with additional participation from a16z, Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.
TechCrunch Event
Boston, MA
|
June 23, 2026
About the Author
