Substack Data Breach 2026

Substack Data Breach

Status: Confirmed
663K Records
Oct 2025 Breach
Feb 2026 Reported

Breach Overview

Threat Actor Unidentified (claimed scraping attack)
Vector Unauthorized third-party access via scraping (per threat actor claims)
Date of Breach October 2025
Date of Discovery February 3, 2026
Date of Reporting February 5–6, 2026
Data Posted / Circulated February 2026
Records Stolen 663,000 records (threat actor claimed ~700,000)
Data Source Attribution Have I Been Pwned (added Feb 6, 2026), dark web listings, independent security reporting

Summary

In October 2025, Substack suffered a data breach that was publicly disclosed in February 2026.

An unauthorized third party accessed user data through what the threat actor described as a "noisy" scraping attack. The exposed dataset contains approximately 663,000 account records.

The data includes email addresses, publicly visible profile information, and a subset of phone numbers.

Substack CEO Chris Best notified users by email, stating that passwords, credit card numbers, and financial information were not exposed.

Despite that assurance, the combination of email addresses and phone numbers materially increases account takeover and SIM swap risk, particularly in a 2FA-driven authentication environment.

The dataset began circulating more widely in February 2026 after claims surfaced on dark web forums.

About Substack

Substack is a subscription-based publishing platform used by independent journalists, writers, analysts, and content creators.

The company reports:

  • Over 50 million active subscriptions
  • Over 5 million paid subscriptions
  • Approximately 17,000 revenue-earning writers

Accounts often include:

  • Public-facing author bios
  • Publication names
  • Profile photos
  • Payment-linked subscriber relationships

Because many Substack writers are journalists, political commentators, and industry analysts, exposure carries elevated reputational and harassment risk.

Data Points Exposed

Data observed in the breach:
Email address
Phone number (subset of users)
Username
Full name
Bio
Publication name
Internal metadata fields
Not observed in the breach:
Passwords
Credit card numbers
Stripe financial data
Direct authentication credentials

Dark Web Verification

Status: Confirmed

  • The dataset has been indexed by breach intelligence platforms and added to Have I Been Pwned on February 6, 2026.
  • Initial claims suggested up to 700,000 records. Verified records total approximately 663,000 rows.
  • The threat actor described the attack as "noisy" scraping, which led to quick mitigations by Substack.
  • Substack confirmed the breach and reported that the vulnerability was fixed shortly after discovery.
  • No evidence has been publicly presented indicating active misuse of the data at time of disclosure. However, absence of evidence is not absence of risk.
  • The data continues to circulate across breach-sharing communities.

Impact

This breach does not involve direct financial theft.

It increases identity and account takeover risk.

Why Email + Phone Matters

In modern authentication systems:

  • Email controls password resets
  • Phone numbers control SMS-based 2FA
  • SIM swap attacks target mobile accounts
  • Phishing campaigns leverage both together

The pairing of verified email addresses and phone numbers creates a high-confidence targeting list.

Potential Impacts
  • Targeted phishing referencing newsletters or subscriptions
  • SIM swap attempts
  • Account takeover via SMS interception
  • Harassment of public-facing writers
  • Impersonation of journalists or political commentators
  • Credential stuffing on accounts using the same email

Writers and creators face amplified exposure because their professional identity is directly tied to their Substack profile.

Recommendations for Impacted Clients

If you believe your information may be included:

Check Your Exposure
If you are an ObscureIQ client, this breach has been indexed into your exposure profile.
Non-clients may request a breach review.
Lock Down Your Mobile Account
Contact your carrier and:
Add a SIM lock or port-out PIN
Disable SMS-based account recovery where possible
Move Away from SMS 2FA
Use hardware keys or authenticator apps instead.
Secure Email Accounts
Enable MFA immediately.
Audit recovery email and phone settings.
Expect Targeted Phishing
Be cautious of messages referencing:
Subscription billing issues
Account verification requests
Payment processor updates
Newsletter collaborations
Verify through official channels only.
Protect High-Visibility Writers
Journalists, political writers, and public commentators should:
Separate public and private contact emails
Monitor impersonation attempts
Reduce exposed personal metadata
Suppress Data Broker Exposure
Remove enriched phone numbers and addresses from broker databases.

Corporate Accountability

Substack is a private company founded in 2017.

Unlike publicly traded firms, it is not subject to SEC breach disclosure rules.

The company stated it fixed the issue and is conducting a full investigation.

Organizations collecting user data have a legal obligation to implement reasonable safeguards and secure internal systems.

ObscureIQ Advisory

Most breach notices downplay incidents when passwords are not exposed.

That framing misses the operational reality.

In a 2FA and SIM swap environment, email + phone is critical identity infrastructure.

We combine proprietary dark web monitoring with restricted breach datasets to confirm exposure and assess real-world targeting risk.

If you are:
  • A journalist
  • A political writer
  • A paid Substack creator
  • A public-facing analyst
  • Or a subscriber concerned about identity risk

We can verify circulation and model downstream threats.

Services
Audits Wipes Threat Monitoring Training
Contact
Phone +1 772-207-0046 Email info@obscureiq.com

We offer elite privacy and intelligence services for people with everything to lose.

© 2026 ObscureIQ. All Rights Reserved.

Credit

What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)

July 14, 2025
Every time there’s a major data breach, companies scramble to offer “free” credit monitoring. It sounds like a responsible move.…
breach economycredit freezecredit scoreequifaxexperian
Credible Threats

Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.

September 2, 2025
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars. Over 80% of security incidents now start in the browser. Chrome.…
brave browserbreachesbrowser exploitbrowserschrome
Analysis

Sextortion Spam

May 10, 2025
Sextortion scams aren’t new, but they remain one of the most effective forms of cyber-enabled fraud. These scams don’t rely…
bitcoindeadlinefeargoogle maps apiransom

Contact ObscureIQ for a free breach impact check.

If you believe your information may be part of this breach,or want confirmation across other datasets,

We use a multi-layered intelligence stack, combining public and restricted dark-web sources, to confirm whether your data is in circulation.