Just three days before Substack informed its users of a security breach, an alternative narrative was making rounds within underground cybercrime forums. On February 2, 2026, a user on BreachForums, operating under the alias “w1kkid,” alleged that they had scraped Substack and gathered nearly 700,000 user records. This revelation was corroborated by Substack’s CEO on February 5, who confirmed unauthorized access to user data, prompting inquiries into the extent of the breach and the nature of the information compromised.
In its notification, Substack described a technical vulnerability that permitted an unauthorized third party to access limited user information. The company identified the flaw on February 3, tracing the intrusions back to as early as October 2025. As detailed in the communication, the exposed data included email addresses, telephone numbers, and internal metadata; however, sensitive data such as passwords and financial information reportedly remained secure.
Insight into Exposed Substack Data
Data retrieved from BreachForums presents a more comprehensive view of the unauthorized access. Sample records reveal what appear to be full user account details, associated with unique numeric identifiers, timestamps of account creation and updates, preferences regarding notifications, and moderation indicators. Notably, these attributes are not typically available through public profiles.
Upon thorough analysis of the extracted database, Hackread identified multiple records belonging to active publishers as opposed to passive readers. The timestamps for accepted publisher agreements, along with associated newsletter identifiers, biographies, and profile images hosted on Substack’s S3 storage, suggest that not only reader accounts but also those linked to monetized content were affected by the breach.
Moreover, entries include Stripe customer IDs that, while not disclosing payment card information, establish a direct correlation between Substack accounts and Stripe’s payment system. This association amplifies the sensitivity of the exposed data, facilitating potential links between user identity information and financial transactions.
The breach also encompasses phone numbers from users across various countries, alongside confirmed email addresses and extensive account histories. Records dating back to 2018, along with updates as late as 2025, imply a broad aggregation of user data rather than a targeted collection of recent entries or public profiles.
The intricacy of the internal fields recorded complicates the narrative of a simple data scrape. The presence of flags such as is_global_admin, is_ghost, and has_passed_captcha are backend variables indicative of Substack’s operational processes. Their existence implies a level of access typically reserved for internal systems, marking this breach as potentially more severe than initial reports indicated.
Current State of Data Misuse
Substack has stated it has yet to discover any misuse of the compromised data and has rectified the underlying security vulnerability. In breach investigations, this typically signifies that no confirmed exploitation has occurred at this juncture. However, it is common for datasets of this nature to circulate in private forums before being leveraged for phishing attempts, impersonation, or targeted social engineering. Hackread.com has confirmed that this particular dataset from Substack is currently being shared on several Russian-speaking cybercrime platforms and via Telegram.
For affected users, the immediate threat lies in targeted phishing attempts. Individuals may receive emails or text messages referencing their Substack account, newsletter titles, or user history to create a veneer of legitimacy. Users are advised against clicking links, downloading attachments, or responding to any communication purporting to be from Substack, Stripe, or subscribers requesting sensitive information.
It is essential to access account information only by navigating directly to the official Substack website and to disregard any urgent messages or requests for verification codes, password resets, or account confirmations. Additionally, users employing the same email or phone number across different services should be vigilant for similar phishing attempts elsewhere.