Substack Data Breach Impacts Hundreds of Thousands of Users

Published Date: February 6, 2026
Category: ShadowOpsIntel
Share:

Substack disclosed a security incident in early February 2026 involving unauthorized access to user data. The company identified the issue on February 3, 2026, and determined that the unauthorized access had occurred earlier, in October 2025. The breach affected a significant portion of its user base.

Severity: High

Scale Of Exposure

  • A threat actor using the alias “w1kkid” claimed on BreachForums to have scraped 662,752 user records.
  • Evidence reviewed by cybersecurity researchers indicates the dataset is actively circulating on multiple cybercrime forums and Telegram channels, including Russian-speaking communities.

Types Of Data Exposed

The exposed data includes:

  • Email addresses
  • Phone numbers
  • Internal account metadata (user IDs, account creation dates, update timestamps)
  • Notification preferences and moderation flags
  • Publisher-specific data (newsletter handles, bios, profile images)
  • Stripe customer IDs (linking accounts to payment systems, but not exposing card details)

Not accessed:

  • Passwords
  • Credit card numbers
  • Banking or direct financial information

Nature Of The Access

The presence of internal backend fields (e.g., admin flags, captcha status, session indicators) suggests the data was obtained through internal system access or data exports, not simple public web scraping. The dataset includes both readers and active publishers, including monetized creator accounts.

Company Response

Substack stated that:

  • The system vulnerability has been fixed
  • A full internal investigation is underway
  • There is currently no confirmed evidence of active misuse of the data

The CEO issued a direct apology, acknowledging the failure and committing to preventing similar incidents in the future.

Risk To Users

While no confirmed abuse has been detected, the exposed dataset significantly increases the risk of:

  • Targeted phishing
  • Account impersonation
  • Social engineering attacks referencing Substack-specific details

Attackers may use accurate account metadata to craft highly convincing emails or SMS messages.

Recommendations

Impacted users are advised to:

  1. Be cautious of unsolicited emails or texts claiming to be from Substack, Stripe, or subscribers.
  2. Avoid clicking links or downloading attachments from suspicious messages.
  3. Access Substack only by manually typing the official website address.
  4. Watch for phishing attempts on other platforms if the same email or phone number is reused elsewhere.

Source:

  • https://hackread.com/substack-breach-user-records-leak-cybercrime-forum/
  • https://x.com/arvidkahl/status/2019236455604973670

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert