Substack is warning some users that email addresses and phone numbers linked to their accounts were exposed in a “security incident” last year. In an email to account holders, Substack CEO Chris Best said a hacker gained unauthorized access to internal data in October 2025, but passwords, credit card numbers and other financial information remain safe.
“On February 3, we identified evidence of an issue with our systems that allowed an unauthorized third party to access restricted user data, including email addresses, phone numbers and other internal metadata, without permission,” Best said in an email. “We have no evidence that this information has been misused, but we encourage you to be extra careful with any emails or text messages you receive that may be suspicious.”
Substack says it has since resolved the security issue and is now conducting a full investigation along with strengthening its systems “to prevent this type of issue from occurring in the future.” The platform didn’t provide any details on what the security issue was or how many users were affected — me and a few Rod colleagues who also use Substack did not receive the email. We asked Substack for an explanation.
“I’m incredibly sorry that this happened,” Best said in an email to users. “We take our responsibility to protect your data and your privacy seriously, and we did not fail here.”