Substack exposes emails and user phones: the late intrusion that revives fear of phishing

The Substack newsletters platform has started to warn users about an intrusion into their systems which, according to the company, allowed a third party access to limited data in October 2025. Although the facts would have occurred months ago, the management of the company indicates that the investigation and detection of the incident occurred much later, which has generated concern between creators and subscribers.

According to the public release of CEO Chris Best, who shared details in his BlueSky profile, the compromised information includes e-mail addresses, phone numbers and certain internal metadata. Best stressed that, for now, there is no evidence that card numbers, passwords or financial information have been exposed. Your original message can be read on the platform where you posted it: Chris Best's publication in BlueSky.

While Substack has not yet published an official number of affected accounts, in forums of the cybercrime scene a dump appeared this week that, according to its author, contains 697,313 records allegedly extracted from the platform. The alleged attacker also claims to have used a scraping technique that was "noisy" and, after being detected, was quickly blocked. In such cases it is common for the figures and the veracity of the data to be independently verified; for this reason the company keeps the investigation open.

The delay between the date of access (October) and the date of detection raises two central questions: On the one hand, what vulnerability allowed data extraction and if it was already corrected; on the other, what internal controls failed in monitoring and early response. Substack has reported that the failure that allowed access has already been corrected, and has alerted users to the possible increase in phishing attempts directed with the addresses and numbers obtained.

No passwords or financial information have been stolen does not eliminate the risk. With emails and phones it is possible to orchestrate more convincing deception campaigns: messages that appear to come from Substack, verification requests, false offers or links that install malware. This is why the company has recommended that caution be increased in the face of suspicious messages and that it always verify the messages and URLs before interacting.

If you are a subscriber or creator in Substack, the wise thing now is to extreme surveillance over incoming communications and follow good security practices. Although Substack itself claims to have no evidence of data abuse, it is appropriate to mistrust urgent messages that ask for clicks, passwords or codes, and to confirm any application through official channels. For practical guidance on how to recognize and respond to phishing attempts, cybersecurity authorities offer useful guides: for example, the United States Cyber Security Agency (CISA) has resources on phishing in https: / / www.cisa.gov / phishing and the Federal Trade Commission (FTC) publishes advice on what to do after a data leak in https: / / www.consumer.ftc.gov / articles / data-breaches.

This episode also revives a broader discussion: the responsibility of platforms that host content and manage large lists of subscribers. Substack, launched in 2017 and which has become a shelter for journalists and independent creators, has had previous incidents related to e-mail management; in 2020 there was an administrative error that exposed users' addresses in a mass communication, a failure that the company itself recognized publicly at the time through a social media publication ( Substack tweet on the 2020 exhibition). Repeated situations, even when the data committed are relatively limited, erode confidence and require a review of technical and organizational measures.

From the perspective of a content creator on the platform, the filtration poses reputational and operational risks: any phishing attack directed at a list of subscribers can be mistakenly associated with the legitimate sender, damaging the relationship with the audience. To palliate it, authors can strengthen information messages to their community, explain what is going on and offer safe ways to verify communications (for example, confirming official URLs and recalling that the platform never requests passwords by mail).

At the technical level, regular education following such incidents is double: improving the observability of systems to detect abnormal behaviour as soon as possible, and implementing controls that minimize the amount of data accessible in case of failure. Data segregation, detailed recording of access and alerts based on unusual patterns are practices that help to shorten the time between an intrusion and its detection.

Substack should still provide more details on how exactly the leak occurred, how many users were affected and what additional measures it will take to prevent new incidents. Meanwhile, users should be kept alert, verify the authenticity of communications linked to the platform and use official sources to confirm any strange requests. To consult news information and technical updates about the fact, specialized media in computer security often cover such leaks; the portal BleepingComputer and other technological means will be benchmarks as research progresses.

Technology that facilitates the independence of creators also implies a great responsibility in the management of personal data. This case recalls that, in addition to having good functions to publish and monetize content, platforms must constantly invest in security and transparency. And for users, the maximum remains the same: education in cybersecurity and adopting habits that reduce the attack surface, because the data that today may seem "only" addresses and phones are the raw material with which many digital scams are made.