Hacker News

Substack confirms data breach affects users’ email addresses and phone numbers

2026-02-084:3410044techcrunch.com

Substack said that customer data was accessed in October 2025 but wasn't discovered until early February.

Newsletter platform Substack has confirmed a data breach in an email to users. The company said that in October, an “unauthorized third party” accessed user data, including email addresses, phone numbers, and other unspecified “internal metadata.”

Substack specified that more sensitive data, such as credit card numbers, passwords, and other financial information, was unaffected.

In an email sent to users, Substack chief executive Chris Best said that the company identified the issue in February that allowed someone to access its systems. Best said that Substack has fixed the problem and started an investigation.

“I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission,” said Best in the email to users. “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”

It’s not clear what exactly the issue was with its systems, and the scope of the data that was accessed. It’s also not yet known why the company took five months to detect the breach, or if it was contacted by hackers demanding a ransom. TechCrunch asked the company for more details, and we will update our story if we hear back.

Substack did not say how many users are affected. The company said that it doesn’t have any evidence that users’ data is being misused, but did not say what technical means, such as logs, it has to detect evidence of abuse. However, the company asked users to take caution with emails and texts without any particular indicators or direction.

On its website, Substack says that its site has more than 50 million active subscriptions, including 5 million paid subscriptions — a milestone it reached last March. In July 2025, the company raised $100 million in Series C funding led by BOND and The Chernin Group (TCG), with participation from a16z, Klutch Sports Group CEO Rich Paul, and Skims co-founder Jens Grede.

Techcrunch event

Boston, MA | June 23, 2026


Read the original article

witnessme

Karma: 77
...
 @Hacker__News
@hacker._news

Comments

  • By dickiedyce 2026-02-086:133 reply

    Ooopsie... possibly a problem for some folks: https://www.theguardian.com/media/2026/feb/07/revealed-how-s...

    • By lostlogin 2026-02-089:161 reply

      > some folk

      A very specific folk.

      Volksgemeinschaft is a German expression meaning "people's community", "folk community", "national community", or "racial community", depending on the translation of its component term Volk.

      https://en.wikipedia.org/wiki/Volksgemeinschaft

      • By dxdm 2026-02-0811:051 reply

        Your quote leaves out the most interesting part: the word is now associated with some particularly folksy folk who notoriously used it in their. genocidal ideology

        > The concept was notoriously embraced by the newly founded Nazi Party in the 1920s, and eventually became strongly associated with Nazism after Adolf Hitler's rise to power.

        (From your Wikipedia link.)

        • By lostlogin 2026-02-0820:21

          Yeah - I thought people would make the connection from the bit I posted.

          ‘Folksy folk’ is a great euphemism.

    • By BiteCode_dev 2026-02-0811:251 reply

      Looked up NatSocToday on Substack, and they do have the swastika as a banner; they don't even hide or be subtle about it. Full on nazi, in plain sight.

      And plot twist, they are anti-Trump.

      I'm overwhelmed.

      • By PlatoIsADisease 2026-02-0811:461 reply

        I'm not caught up on fringe and irrelevant political groups, but I think Trump has a base completely different than a pre-2016 republican would align with.

        Before you would have: Lifelong Red Team Republican(40%), non ideological Opportunists (30%), Ideological Crazies (30%)

        Today you have: Lifelong Red Team Republican(40%), non ideological Opportunists (10%), Ideological Crazies For Trump (50%)

        The GOP lost that upper-middle class(opportunists) and they lost ideological believers(pre 2016 crazies). Given how fast it was lost, I expect it to come back in some manner, but Trumpism is a cult of personality rather than ideology.

        • By roysting 2026-02-0813:591 reply

          I’m not even really sure it’s a cult of personality per se. It seems more like yet another form of mental illness that affects so many Americans in different ways, where they live delusional, parasocial, vicarious lives based on a fantastical world that they’ve put in place of reality they rejected. It’s really no different than all the people in America today who will expend immense amounts of money and resources on caring about “my team” in the performance called the Super Bowl. “My team” this and “my team” that, they say as they cheer and lament “my team” that they don’t have any actual connection to in any form other than having been manipulated and groomed all their life into being in that form of cult.

          Is not really limited to Trump at all, even though the consequential and public nature of Trump takes everyone’s attention … ironically, with its opponents only feeding that loop in how they oppose it.

          It’s a core characteristic of narcissism people rarely understand. Narcissism (individual or system) utterly depends on conflict for its “narcissistic supply”. When you “oppose it”, you are in fact only fueling that which you believe you are opposing. It’s a paradox that people have an impossible time understanding, especially all the people who see “Nazis” everywhere, while openly and violently “protesting” in this supposed “Nazi” regime they’re opposing. Narcissistic control needs that for its manipulation. That is precisely the kind of fuel narcissists love and need and relish with glee as you oppose them, because it means they have you exactly where they want you, emotional and easily manipulated and controlled.

          You think the Super Bowl would happen if people stopped living the delusion of “my team” conflict with “not my team”? When you see that stadium full of people, realize that every single one of those thousands of people, will have spent on avg. ~$15,000 per person. It takes manipulation into a state of mental illness to do that. No different than Trump supporters or Nazi fighters or all the other kind of fantasy LARPing that is so pervasive in America, living a life of delusion created for them because it is profitable and makes people easily manipulated.

          • By doublerebel 2026-02-0816:28

            Sports are popular everywhere in the world, and any popular event with limited capacity drives up market prices. This rant is nonsense.

    • By versavolt 2026-02-087:15

      [flagged]

  • By witnessme 2026-02-084:346 reply

    I am still confused for days whether this is a real news or a hoax. Only a substack user saying they received this email. I did not. And there is no official statement by Substack. What is really going on here?

    • By parable 2026-02-085:341 reply

      I've seen the leaked data posted on forums. I'm assuming they're trying to minimize the bad PR from this incident by only doing what's legally required, which is to notify affected users. They're likely not obligated to notify the broader public. Whether they should be obligated to do so is another discussion entirely.

      • By meitham 2026-02-086:531 reply

        Could you please tell me which forum this was posted on

        • By parable 2026-02-088:043 reply

          I'm fairly sure even mentioning the name of the forum isn't allowed on HN. It should be trivial to find it yourself, though. I also replied to someone else with the CSV headers if you're only trying to find out what exactly was included in the leak: https://news.ycombinator.com/item?id=46932380

          Also, keep in mind that this is a partial leak. The data was scraped from some leaky endpoint which was patched out before every user could be scraped. Only users who were in the partial leak received emails (I have two accounts, only one received an email). If you're a Substack user but didn't receive an email, I'd assume you're not in the leak. Troy Hunt should load it into HIBP eventually, and those concerned can check there if they don't want to seek the leak out on their own.

          • By shawabawa3 2026-02-0811:001 reply

            >I'm fairly sure even mentioning the name of the forum isn't allowed on HN

            Well let's find out

            I did a tiny bit of research, pretty sure it's BreachForums (https://en.wikipedia.org/wiki/BreachForums)

          • By chrisjj 2026-02-0810:091 reply

            > this is a partial leak.

            Substack PR probably love this. Like a gas tank has a partial leak.

            • By parable 2026-02-0810:44

              This is actually a great analogy for why companies should take small data leaks seriously. A leak is a leak.

              Also, to clarify, I don't mean to appear as though I'm discrediting this leak or downplaying its severity. I only mentioned that it was a partial leak to offer an explanation as to why some users received emails and others didn't, as witnessme's comment seemed confused about this.

          • By squigz 2026-02-0810:23

            > I'm fairly sure even mentioning the name of the forum isn't allowed on HN.

            I'm not sure this would be the case? I've seen plenty of links to content of questionable legality shared on HN.

    • By ntoskrnl_exe 2026-02-089:00

      According to Have I Been Pwned, 663 thousand accounts were in the breach. You can verify your address there.

    • By proactivesvcs 2026-02-088:59

      It recently popped up on the HIBP feed; they tend to be pretty careful when checking the veracity of claims.

      https://haveibeenpwned.com/Breach/Substack

    • By ochronus 2026-02-089:40

      I don't think it's fake - it explains why suddenly I got a ton of "verify your registration to XYZ" emails in the past week.

    • By Mordisquitos 2026-02-0811:35

      Do you reside outside of the EU (and outside anywhere where GDPR equivalents are enforced)? Maybe that would explain it.

      Under GDPR, a business has the obligation to inform users if they have been affected by a data breach. That could hypothetically explain why Substack would inform some users (those protected by GDPRish legislation) while keeping it quiet towards the rest of them.

    • By GeorgeOldfield 2026-02-0821:58

      it's real, i have the leak.

  • By slopusila 2026-02-085:225 reply

    > including email addresses, phone numbers, and other unspecified “internal metadata.”

    > Substack specified that more sensitive data, such as credit card numbers, passwords, and other financial information, was unaffected.

    I hate it when companies do this.

    passwords and credit card numbers are easily changed.

    names, emails and phone numbers are not.

    • By parable 2026-02-085:272 reply

      This is what I've been saying for years. I really could care less if my passwords were leaked. My phone number, on the other hand, is near-impossible to change. The fact that VoIP/virtual numbers are blacklisted from use almost everywhere doesn't help anything, because otherwise I would just use a ton of cheap rented numbers.

      The same goes for full names on file, physical addresses, and other hard-to-change information. Passwords have been the least of my concerns since password managers were invented.

      You could, in theory, use a custom domain or email aliasing service like SimpleLogin or Addy to combat the email address issue, though websites like GitHub have been known to block emails created with an aliasing service. I could go on about why that move does next to nothing to combat actual abuse; any spammer worth their salt can just buy a bunch of Gmail accounts or Outlook accounts instead.

    • By parable 2026-02-088:14

      I'd edit my other reply to this comment but can't anymore.

      Here are the columns from the CSV file I've seen being shared around on forums, including the "internal metadata". This mostly boils down to full name on file, email, Stripe customer ID, activity metrics, usernames, and phone numbers. Everything else is largely irrelevant.

      id,name,email,email_confirmed,email_confirmation_token,stripe_platform_customer_id,is_global_admin,is_ghost,created_at,anonymous_id,email_bounce_count,photo_url,publisher_agreement_accepted_at,bio,updated_at,profile_set_up_at,tos_accepted_at,email_digest_at,has_passed_captcha,import_confirmation_required,post_notification_preference,reader_installed_at,activity_items_viewed_at,dismissed_ios_app_promo_at,email_notifications_last_resumed_at,previous_name,release_group,handle,phone,bank_payment_failures,is_globally_banned,session_version

    • By praptak 2026-02-087:061 reply

      Phone numbers are kinda concerning given their popularity as 2FA. A phone number is now basically your shared password for everything. It's also semi public, hard to change and you are basically one SIM swap attack away from a full compromise.

      • By direwolf20 2026-02-0812:10

        Europeans (who are the ones notified of the attack) enjoy significant bureaucracy around getting a SIM card assigned or reassigned.

    • By rvz 2026-02-089:312 reply

      Phone number login in 2026 is really just asking for someone to do a SIM swap attack on the victim's account to steal their identity.

      Surely a list of services that allow phone number logins exists so that one can avoid signing up in the first place and we would then see it in another connecting breach.

      • By jtbayly 2026-02-0812:46

        Most banks and credit cards, as far as I’ve seen.

        For example, I tried to set up another form of 2FA on Chase, but it still defaults to phone. I can’t disable or change it.

      • By chrisjj 2026-02-0810:14

        PayPal :(

    • By BiteCode_dev 2026-02-0811:30

      Also, name, address and phone numbers let you do so many scams.

      A friend of mine received a very well-crafted physical letter at his home about resetting his cryto ledger.

      He is now very stressed because there are news about people with crypto getting abducted.

      And with the ledger leak they have:

      - his name and address

      - how much money he has on his ledger

HackerNews

About