Newsletter platform Substack confirmed a data breach in an email to users. The company said that in October, an “unauthorized third party” accessed user data, including email addresses, phone numbers and other unspecified “internal metadata.”
Substack determined that more sensitive data, such as credit card numbers, passwords and other financial information, was not affected.
In an email sent to users, Substack CEO Chris Best said the company identified the problem in February that allowed someone to access its systems. Best said Substack fixed the problem and launched an investigation.
“I’m contacting you to inform you of a security incident that resulted in your email address and phone number being shared from your Substack account without your permission,” Best said in the email to users. “I’m incredibly sorry what happened. We take our responsibility to protect your data and your privacy seriously, and we ended up here.”
It is unclear exactly what the problem was with its systems and the scope of the data that was accessed. It’s also not yet known why it took the company five months to detect the breach, or whether hackers contacted them demanding a ransom. TechCrunch has asked the company for more details, and we’ll update our story if we hear back.
Substack did not say how many users are affected. The company said it has no evidence that user data is being misused, but did not say what technical means, such as logs, it has in place to detect evidence of misuse. However, the company asked users to be careful with emails and text messages without specific indicators or direction.
On its website, Substack says its site has more than 50 million active subscriptions, including 5 million paid subscriptions — a milestone arrived last March. In July 2025, the company raised $100 million in Series C funding led by BOND and The Chernin Group (TCG), with participation from a16z, Klutch Sports Group CEO Rich Paul and Skims co-founder Jens Grede.
Techcrunch event
Boston, MA
|
June 23, 2026
