Substack has notified users that attackers stole email addresses, phone numbers, and other internal metadata in October 2025, and the company says it only discovered the breach in February 2026. Substack claims credentials and financial information were not accessed, it has patched the flaw, and a threat actor later leaked 697,313 alleged records on BreachForums. #Substack #BreachForums
Keypoints
- Attackers accessed email addresses, phone numbers, and internal metadata in October 2025.
- Substack discovered the incident in early February 2026 and has notified affected users.
- Company states that passwords, credit card numbers, and other financial data were not accessed.
- A threat actor posted a database of 697,313 alleged records on BreachForums.
- Substack says it fixed the exploited vulnerability and warned users to watch for phishing attempts.