Substack data breach exposes emails and phone numbers

18 Feb 2026 By foxnews

If you read newsletters to stay informed, here is an update worth paying attention to. Substack, a popular platform where writers, journalists and creators send email updates directly to subscribers, has confirmed a data breach that exposed user data.

The company says the exposed information includes email addresses, phone numbers and internal account metadata. More sensitive data, such as passwords, credit card numbers and financial information, was not affected. That is good news. Still, many users are asking how this happened and why it took months to detect.

For clarity, CyberGuy does not use Substack to send its newsletters.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter.

ROBINHOOD TEXT SCAM WARNING: DO NOT CALL THIS NUMBER

According to Substack, the unauthorized access occurred in October but was not identified until February. That means user data may have been exposed for several months before the issue was discovered. In response to CyberGuy's request for comment, Substack shared an email from CEO and cofounder Chris Best that was sent to affected users on Wednesday, Feb. 4.

"I'm incredibly sorry this happened," Best wrote. "We take our responsibility to protect your data and your privacy seriously, and we came up short here." He went on to say the company will "work very hard to make sure it does not happen again."

According to Best, Substack identified evidence of a system issue on February 3 that allowed an unauthorized third party to access limited user data in October. He confirmed the accessed data included email addresses, phone numbers and internal metadata. He also said passwords, credit card numbers and financial information were not accessed.

Substack says it has fixed the system issue that allowed the unauthorized access and has launched a full investigation. The company also said it does not have evidence that the exposed information is being misused. Even so, it encouraged users to take extra caution with emails or text messages that appear suspicious. While the statement clarifies what data was exposed, it does not explain why the access went undetected for several months or what specific safeguards are now in place to prevent a similar incident. That gap remains a key concern.

Email addresses and phone numbers are often the first pieces of information used in scams. Once attackers have verified contact details, they can send messages that feel personal, urgent or familiar. Those messages may reference subscriptions, billing or account changes to pressure people into clicking links or sharing information. Even without passwords, this type of exposure can increase the risk of phishing and impersonation attempts. That is why awareness matters now.

MICROSOFT 'IMPORTANT MAIL' EMAIL IS A SCAM: HOW TO SPOT IT

If you have a Substack account, now is a good time to tighten things up.

Be cautious with emails or texts that reference your Substack account subscriptions or payments. Scammers may use real details to sound convincing.

Urgent language is a common tactic. Go directly to Substack's website instead of using links in messages. Use a strong antivirus to safeguard yourself from malicious links that install malware, potentially accessing your private information.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

Even if passwords were not exposed, updating them adds a layer of protection, especially if you reuse passwords elsewhere. Consider using a password manager, which securely stores and generates complex passwords, reducing the risk of password reuse.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

Consider using a data removal service to reduce where your email and phone number appear online. Fewer data points make scams harder to pull off. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

Enable two-factor authentication (2FA) wherever possible to reduce the risk of account takeover.

SOUNDCLOUD DATA BREACH EXPOSES 29.8 MILLION USER ACCOUNTS

Substack's breach is a reminder that even creator-focused platforms face real security risks. While the company says sensitive data was not affected, unanswered questions remain about detection delays and transparency. Email addresses and phone numbers are powerful tools in the wrong hands. Staying alert now can prevent bigger problems later. Trust is built on clarity, and users are still waiting for it.

Have you changed how you protect your email and phone number after recent data breaches, and what steps have made you feel safer? Let us know by writing to us at Cyberguy.com