Cybersecurity specialists are urging Substack users to remain vigilant against potential phishing scams following a recent data breach on the platform. The blogging service has experienced a security incident that compromised user data.
In a communication sent to users, Substack CEO Chris Best disclosed that the breach resulted in the exposure of email addresses, contact numbers, and other internal metadata. However, details surrounding the breach itself have not been fully explained. The organization identified the data compromise on February 3rd, when it became aware that an unauthorized third-party had accessed limited user information.
Best’s preliminary investigation indicated that unauthorized access may have begun as early as October 2025. He reassured users that sensitive information such as credit card numbers and passwords was not affected during this incident. The company has since addressed the vulnerabilities within its system that permitted this breach, and further investigations are underway to enhance security protocols and mitigate future risks.
While the full extent of the breach remains undisclosed, reports from BleepingComputer suggest that the incident could potentially impact over 500,000 users. As of February 2nd, a malicious actor allegedly shared a database containing 697,313 compromised records on BreachForums.
Despite the lack of evidence regarding the misuse of the exposed data, Best recommended heightened vigilance among users. Cybersecurity experts echo this sentiment, emphasizing that phishing attempts often surge following a data compromise. Cybercriminals typically exploit exposed contact information to launch deceptive schemes targeting unsuspecting individuals.
Jamie Akhtar, CEO of CyberSmart, underscored that while Substack has asserted that sensitive data remains secure, the leaked contact information still presents a significant opportunity for criminals. Such data forms the foundation for more complex social engineering efforts, including impersonation and targeted phishing schemes.
Javvad Malik, lead security awareness advocate at KnowBe4, reiterated Akhtar’s concerns. He noted that the information shared by Substack appears insufficient for users to accurately assess their risk levels and undertake proper preventive measures. The timeline of the incident raises further questions, particularly given that the exposure began in October 2025 but was disclosed much later.
Such a lag in disclosure may complicate the response of affected users and weaken their defenses against potential threats. While it is recognized that identifying breaches can be challenging, a clearer explanation of the breach’s mechanics and its ramifications is crucial for affected stakeholders.
The attack on Substack aligns with various tactics and techniques specified in the MITRE ATT&CK framework. Initial access methods may have included exploiting vulnerabilities in the platform’s security. The lack of immediate detection suggests a failure in persistence and privilege escalation measures that could have been employed by the perpetrators to maintain ongoing access. In the wake of this incident, Substack’s users are encouraged to enhance their security posture and remain cautious of communications that may seem suspicious.