The Substack Newsletter platform has confirmed the data breach in an email to users. The company said that in October, an “unauthorized third party” accessed user data, including email addresses, phone numbers, and other unspecified “internal metadata.”
Substack ensures that more sensitive data, such as credit card numbers, passwords, and other financial information, is not affected.
In an email sent to users, Substack’s chief executive officer Chris Best said the company was aware of the issue in February which allowed people to access the system. Best said that the company has fixed the problem and started an investigation.
“I am working to make you aware of a security incident that resulted in the email address and phone number from your Substack account being shared without your permission,” Best said in an email to users. “We’re sorry this happened. We take our responsibility to protect your data and privacy very seriously, and we’re here to.”
It is not clear what the problem is with the system, and the scope of the data accessed. It is also not known why the company took five months to detect the breach, or whether the company was contacted by hackers demanding a ransom. TechCrunch asked the company for more details, and we’ll update the story if we hear back.
Substack did not say how many users were affected. The company said there was no evidence that user data was misused, but did not say whether technical means, such as logs, should detect evidence of abuse. However, the company asks users to be careful with emails and texts without specific indicators or directions.
On its website, Substack says the site has more than 50 million active subscriptions, including 5 million paid subscriptions — a milestone reached last March. In July 2025, the company increased $100 million in Series C funding led by BOND and The Chernin Group (TCG) with the participation of a16z, Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.
Techcrunch event
Boston, MA
|
June 23, 2026