Substack Confirms Data Breach - Is Your Info Protected?
Substack has confirmed a data breach affecting user data.
According to the company, an unauthorized third party accessed its systems in October 2025 and obtained user email addresses, phone numbers, and internal metadata. The breach was only discovered months later, in February 2026.
Substack says passwords, credit card numbers, and financial information were not affected, but the company has not disclosed how many users were impacted, what vulnerability was exploited, or why detection took so long.
Why Exposed Emails Are Dangerous
Your email address is the backbone of your online identity.
Most people reuse the same email and password across a variety of services. When one site leaks credentials, attackers automatically try that same email and password combination across hundreds of other platforms. This works because reuse is extremely common and trivial to automate.
Even when only an email is exposed, attackers can pivot. Emails are routinely searched in breach databases that aggregate years of past leaks. Those databases often reveal other accounts tied to the same email and sometimes old passwords used elsewhere. From there, attackers attempt logins, abuse password resets, send targeted phishing, or move toward extortion.
This is how a single breach turns into many compromised accounts.
How to Protect Yourself Going Forward
Never Reuse Passwords
Do not reuse passwords. Ever.
If one service is breached and you reused a password, attackers can immediately try it everywhere else. This remains one of the most common causes of account takeover.
Use a password manager to generate and store a unique password for every site.
Recommended options:
A password manager makes strong, unique passwords the default instead of an extra chore. You only need to remember one master password, and it gives you access to a vault of long, unique passwords for every site you use.
Never Reuse Email Addresses Across Most Accounts
Reusing the same email address across most of your accounts makes it easy for attackers to map your entire digital footprint after a breach.
Once your email is exposed, attackers search it across breach databases and public data sets. This often reveals many other services tied to that email and sometimes old passwords from previous leaks. From there, attackers target password resets, send highly convincing phishing emails, or attempt account recovery attacks.
This problem is not limited to high value accounts. Low importance accounts like forums, newsletters, and social platforms are often the weakest link. They expose usernames, interests, and behavior patterns that attackers use to move toward more valuable accounts.
The correct mental model is to treat email addresses like passwords. Most accounts should get a unique one.
Email aliases make this practical. ProtonMail is a strong option.
ProtonMail supports unlimited email aliases using their forwarding domain passmail.net, allowing you to create a unique address for every service. All aliases deliver to your main inbox, so management stays simple.
For example:
substack123@passmail.net
shopping123@passmail.net
forum123@passmail.net
To the outside world, these are completely separate addresses.
If one alias is leaked, attackers cannot use it to discover your other accounts or your primary email. If an alias starts receiving spam or phishing, you can disable it without breaking anything else.
Data Breaches Are Inevitable
Breaches are inevitable. Credential reuse is what turns them into cascading failures.
Unique passwords and unique email addresses isolate damage and prevent a single incident from becoming a full account takeover chain. Stay safe out there!
If you found this guide helpful, please share.
Update: Substack Responds to Information Request
I reached out to Substack directly asking whether “User IDs” are internal database identifiers (UUIDs) or something more sensitive like login credentials.
Their response confirmed that:
Credit card numbers, passwords, and financial information were NOT accessed.
They have fixed the system vulnerability that allowed the breach.
The breach occurred in October 2025.
Impacted users received a message informing them of the incident; if they did not receive a notice, their data was not impacted.
They didn’t specifically address what “User IDs” actually are. The reply mentioned “other internal metadata” was accessed, which likely includes these User IDs, but provided no technical clarification on what that means.
It sounds like these are likely internal database identifiers (non-sensitive technical metadata), not usernames or login credentials, but Substack hasn’t confirmed that explicitly.
Sad that the first time I hear about it is in a Substack article, rather than a communication from Substack as a user.
I posted this in a comment to someone else yesterday. First, there is an article on the breach which tells more than the Substack Breach Notification does.
Substack Data Breach Leads to Leak of Nearly 700,000 Records
https://www.hendryadrian.com/substack-data-breach-leads-to-leak-of-nearly-700000-records/
Note that the article lists more personal data leaked than the Notification shows:
"Leaked fields include full names, email addresses, phone numbers, user IDs, Stripe IDs, profile pictures, biographies, account creation dates, and social media handles."
I'm not concerned about names, email addresses, profile pictures (mine is of Thanos!), biographies, account creation dates, social media handles (although those could be misused) or phone numbers. I don't use Stripe as yet, so that doesn't apply.
What I'm not clear about is "user IDs" - which the Notification does not mention. WHAT "user IDs?" Substack's internal IDs? Substack should clear that up.