100 Days Undetected
Substack CEO Chris Best disclosed on February 5, 2026 that an unauthorized party accessed data belonging to approximately 700,000 users of the newsletter publishing platform. The breach is notable not only for its scale but for its stealth — the intrusion began in October 2025 and went undetected for approximately 100 days until Substack's security team identified the unauthorized access on February 3, 2026.
Breach Timeline
October 2025 — Unauthorized party gains access to Substack user data
Oct 2025 - Feb 2026 — Intrusion goes undetected for approximately 100 days
February 3, 2026 — Substack security team detects unauthorized access
February 4, 2026 — Access revoked; forensic investigation launched
February 5, 2026 — CEO Chris Best publicly discloses the breachThe nearly three-month dwell time raises serious questions about Substack's detection capabilities. Industry benchmarks from IBM's Cost of a Data Breach Report place the average breach detection time at 194 days, meaning Substack's 100-day discovery — while concerning — is actually faster than average. Still, the gap allowed ample time for data exfiltration.
Data Exposed vs. Not Exposed
| Data Type | Status | Risk Level |
|---|---|---|
| Email addresses | Exposed | High |
| Phone numbers | Exposed | High |
| Stripe payment system IDs | Exposed | Medium |
| Passwords | NOT exposed | — |
| Credit card numbers | NOT exposed | — |
| Full financial information | NOT exposed | — |
| Newsletter content / drafts | NOT exposed | — |
The exposure of Stripe payment system IDs is an unusual data point. While these IDs alone cannot be used to initiate transactions, they could potentially be leveraged in combination with other data to map user payment histories or facilitate targeted social engineering against Stripe's systems.
How the Breach Occurred
The threat actor described their method as "scraping" and characterized the technique as "noisy" — suggesting they used automated tools to systematically extract user data from Substack's systems. This description implies the attacker was surprised the activity went undetected for so long, given that scraping typically generates abnormal traffic patterns that should trigger monitoring alerts.
Why "Noisy" Scraping Went Unnoticed
Several factors could explain the detection failure:
- Insufficient rate limiting — Automated requests were not throttled or flagged
- Lack of anomaly detection — Traffic patterns from scraping were not distinguished from legitimate API usage
- Inadequate logging — Access logs may not have been reviewed with sufficient frequency or granularity
- Blending with normal traffic — The attacker may have distributed requests to mimic legitimate user behavior despite the overall volume being anomalous
Impact Assessment
For Substack Users
The 700,000 affected users face increased risk of:
- Targeted phishing campaigns — Attackers know these users are active on Substack and can craft convincing emails
- Credential stuffing — Exposed email addresses will be tested against other platforms
- SMS-based attacks — Phone number exposure enables smishing (SMS phishing) and SIM swapping attempts
- Social engineering — Knowledge of a user's Substack presence can be leveraged in pretexting scenarios
For Substack Writers and Publishers
Newsletter creators face additional risks:
- Subscriber list exposure — If writer-subscriber relationships can be inferred from the stolen data
- Reputation damage — Subscribers may lose trust in the platform's ability to protect their data
- Business impact — Paid newsletter operators could see subscriber churn
For the Broader Platform
Substack's position as a trusted platform for independent journalism and paid newsletters means this breach has implications beyond raw user counts. Writers who depend on Substack for their livelihood must now weigh platform security against the convenience of its publishing tools.
Recommendations for Affected Users
- Change your Substack password — Even though passwords were not exposed, this is a precautionary best practice
- Enable two-factor authentication — On Substack and any accounts using the same email address
- Watch for phishing emails — Be skeptical of any Substack-themed communications asking you to click links or verify information
- Monitor for SIM swapping — If your phone number was exposed, contact your carrier to add a PIN or port protection
- Review connected accounts — Check if your Substack account is linked to other services and secure those as well
- Check breach databases — Use Have I Been Pwned to monitor for your data in future dumps
Sources
- TechCrunch — Substack Discloses Data Breach Affecting 700,000 Users
- SecurityWeek — Substack Breach Went Undetected for 100 Days
- Infosecurity Magazine — Substack CEO Confirms 700K User Data Breach