Substack disclosed that attackers accessed user email addresses, phone numbers, and internal metadata in October 2025, but the compromise went undetected until February 3, 2026. The company says credit card numbers and passwords were not accessed and the vulnerability has been fixed, though the four-month detection gap raises concerns about monitoring and the potential for targeted phishing or smishing using the exposed contact data. #Substack #ChrisBest
Keypoints
- Attackers accessed email addresses, phone numbers, and unspecified internal metadata in October 2025.
- Substack only identified evidence of the breach on February 3, 2026, creating a four-month dwell time.
- The company reports that credit card numbers, passwords, and financial information were not accessed.
- The delayed detection increases the risk of targeted phishing and smishing campaigns using the exposed contact data.
- Substack says it fixed the vulnerability but has given few technical details and has not disclosed how many users were affected.
Read More: https://thecyberexpress.com/substack-discloses-breach/