Hacker claims nearly 700,000 Substack records exposed; company investigates

A threat actor posted on a cybercrime forum claiming to have stolen nearly 700,000 Substack user records, including names, email addresses, phone numbers, profile pictures, user IDs and bios, according to a SecurityWeek report. The forum post, which the outlet attributed directly to the actor, said the data were obtained through scraping and that the attack was “noisy,” prompting swift mitigations by the company.

Substack confirmed that an “unauthorized third party” accessed internal systems in October 2025 and that the company identified evidence of the problem on February 3. In an email to some users signed by CEO Chris Best, Substack said the incident “allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata,” language reported by The Verge. The company has begun notifying affected accounts; Fox News reported the notification email went out on Feb. 4.

While Substack said it “fixed the problem” and has launched a full investigation as it bolsters systems and processes, the company also acknowledged important limits to what it shared. “Passwords, credit card numbers, and other financial information were not exposed,” the company stated through multiple published reports. Substack added that “we do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious,” an admonition quoted by The Verge.

The discrepancy between the hacker’s claimed haul and Substack’s public disclosures leaves key questions unanswered. Substack did not, in the quoted materials, provide a confirmed total of impacted accounts, and it has not described the technical root cause of the access. Outlets including TechCrunch noted that it remains unclear why access that reportedly occurred in October went undiscovered until February and whether the company received any ransom demands. SecurityWeek offered context that Substack’s platform hosts roughly 35 million subscribers, a scale that makes even partial exposures consequential.

Beyond immediate privacy harms, the leak spotlighted broader risks that cut across public health and social equity. Exposed emails and phone numbers can fuel highly targeted phishing, SIM-swap attacks, and disinformation campaigns. Those threats are especially dangerous for people who depend on Substack newsletters for trusted health information, mutual-aid coordination, advocacy or gig income; smaller publishers and marginalized communities may face disproportionate harm from lost trust or operational disruption.

Substack CEO Chris Best apologized in the user email. “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here,” Best said, as reported by TechCrunch and The Verge. The company has said it will review systems and processes to prevent a recurrence, but offered no public timeline for sharing technical details or a final tally of affected users.

For readers, the immediate practical step is vigilance: treat unexpected emails or texts with caution and scrutinize messages that request account credentials or other sensitive actions. For publishers, creators and public-interest communicators, the episode underscores the need for clearer incident reporting standards, faster detection, and independent forensic review so communities that rely on digital platforms can better assess and mitigate risks to health, safety and livelihoods.