Substack Breach: 663K Accounts Exposed

Overview

On October 2025, Substack suffered a data breach that exposed 663,121 account records, with the data circulating more widely on the dark web in February 2026. The breach leaked email addresses, names, and phone numbers from publicly visible profile information, including publication names and user bios. The incident was reported to Have I Been Pwned, where affected users can now verify if their accounts were compromised.

What Was Exposed

The exposed data includes three primary categories:

• Email addresses: Primary login identifiers for Substack accounts.
• Names: Full names as shown on public profiles.
• Phone numbers: Used for two-factor authentication and account recovery.
• Publication names & bios: Publicly visible information tied to newsletters and author pages.

This combination enables credential-stuffing attacks, phishing campaigns targeting writers and subscribers, and social engineering attempts based on known publication associations.

How the Breach Happened

While Substack has not disclosed the specific attack vector, the data likely originated from an unauthorized database access or API scraping incident. The delay between the October 2025 breach and the February 2026 circulation suggests attackers harvested data for sale or leverage. The exposure of phone numbers alongside emails indicates that authentication-related systems were compromised, not just public profile pages.

How to Check If You’re Affected

1. Use Have I Been Pwned: Visit Have I Been Pwned and enter your email address.
2. Check your phone number: HIBP now supports phone number searches - enter the number linked to your Substack account.
3. Look for suspicious activity: Monitor your Substack notifications for login attempts from unrecognized locations.

What to Do Right Now

• Enable two-factor authentication on your Substack account using an authenticator app, not SMS.
• Change your Substack password - use a unique, strong password not reused elsewhere.
• Beware of phishing: Attackers may use known publication names to send convincing emails asking for payment details or login credentials.
• Update recovery email/phone: Ensure your account recovery options use a separate email and phone number.

Account Takeover Risks

With emails, names, and phone numbers exposed, affected users face elevated risks of:

• Credential stuffing: Attackers will test the exposed email/password combinations on other services.
• SIM swapping: With phone numbers known, attackers may attempt to hijack SMS-based 2FA.
• Targeted phishing: Writers with popular publications could be impersonated to scam subscribers or solicit fake sponsorships.

Security Insight

This breach reveals a critical gap in Substack’s authentication infrastructure - exposing phone numbers alongside emails suggests that user verification data was stored insecurely or accessible through the same database as public profile information. Unlike content management breaches that expose drafts or payment data, this incident highlights how platform-specific data (publication names, bios) can be weaponized for social engineering. Substack should implement separate encryption for authentication-related data (phone numbers, recovery emails) independent of user profile databases.

Further Reading

• All High Breaches
• Recent Data Breaches