Substack Confirms Data Breach: Email Addresses and Phone Numbers Exposed in 2025 Attack
Substack alerts users to a security incident where attackers stole email addresses and phone numbers in October 2025. Learn the impact and mitigation steps.
Substack Discloses Data Breach Affecting User Contact Information
Newsletter platform Substack has begun notifying users of a data breach that resulted in the theft of email addresses and phone numbers. The incident, which occurred in October 2025, was confirmed in a recent security notice sent to affected individuals.
Key Details of the Breach
According to Substack’s disclosure, threat actors successfully exfiltrated user email addresses and phone numbers during the attack. The company has not released specific details about the attack vector, but the breach appears limited to contact information rather than passwords or financial data. Substack has not disclosed the total number of affected users.
At this time, there is no evidence that the stolen data has been publicly leaked or used in follow-up attacks, such as phishing campaigns. However, security experts warn that exposed contact details could be leveraged for targeted social engineering attacks or spam campaigns.
Impact Analysis
While the breach does not involve passwords, payment information, or sensitive content, the exposure of email addresses and phone numbers poses risks, including:
- Increased phishing attempts targeting Substack users
- SIM-swapping attacks if phone numbers are linked to accounts
- Spam and unsolicited communications via email or SMS
Substack has not reported any fraudulent activity linked to the breach but urges users to remain vigilant against suspicious messages.
Recommendations for Affected Users
Security professionals advise the following steps to mitigate risks:
- Enable multi-factor authentication (MFA) on Substack and other critical accounts
- Monitor for phishing attempts, particularly emails or messages claiming to be from Substack
- Be cautious of unsolicited communications requesting personal or account information
- Consider using a secondary email for newsletter subscriptions to limit exposure
Substack has not yet released a public statement beyond the user notifications, and further details about the incident may emerge as investigations continue.
This is a developing story. Updates will be provided as more information becomes available.