Substack
Analysis of the Substack breach exposing subscriber email addresses and phone numbers.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Substack
Online publishing platform enabling writers and creators to publish newsletters and build paid subscription audiences.
Sector
Media / Technology
Region
United States
Date of Incident
Prior to February 2026 (exact date not disclosed)
Date Disclosed
February 2026
Estimated Impact
Unknown
Data Types Exposed
Subscriber email addresses, phone numbers
Attack Type
Data Breach
Attack Vector
Not publicly disclosed
Current Status
Substack has disclosed the incident. Investigation ongoing.
Severity Assessment
Moderate. The exposure of subscriber contact data undermines the trust relationship between writers and their audiences that is foundational to Substack's business model.
What Happened
In February 2026, Substack disclosed that subscriber contact data had been exposed. The compromised data includes subscriber emails and phone numbers.
The incident undermines trust between newsletter writers and their audiences, as subscribers expect their contact information to remain private.
Timeline
February 2026
Substack discloses exposure of subscriber contact data
Impact and Risk Assessment
For Affected Individuals
Subscribers had their email addresses and phone numbers exposed. Subscription preferences can reveal personal interests, political views, and professional focus areas.
For Organisations
Newsletter writers on Substack may face subscriber churn and trust erosion as a result of the platform breach.
Substack's reputation as a trusted platform for independent writers may be affected.
Regulatory Context
CCPA may apply for California-resident subscribers. GDPR may apply for EU-resident subscribers. CAN-SPAM Act implications for exposed email addresses.
What Should You Do?
If You Are a Potentially Affected Individual
If you subscribe to Substack newsletters, be alert to phishing emails that reference your subscription interests.
Review your Substack account settings and consider whether you want to continue sharing your phone number with the platform.
If You Are a Security or Risk Professional
Publishing platforms should minimise the collection and retention of subscriber contact data. Consider whether phone numbers are necessary for the service provided.
Learnings and Recommendations
Publishing and newsletter platforms hold relationship data between creators and their audiences. A breach of this trust can have cascading effects on the platform's entire creator ecosystem.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.