← All posts
Substack700KUsers affectedEmailPhoneResponse1Change password2Monitor
7 min read

Substack data breach: 700K users' emails and phone numbers leaked

Substack confirmed a breach exposing 700K users' emails and phone numbers. Even without passwords stolen, you're at risk. Here's what to do.

securitybreachessubstackdata-breach2026

On February 5, 2026, Substack CEO Chris Best notified users that the company had suffered a data breach affecting approximately 700,000 accounts. The breach, which actually occurred in October 2025, exposed email addresses, phone numbers, and internal metadata. Substack says passwords were not compromised.

But before you dismiss this as minor, read on. An email-plus-phone-number combination is more dangerous than most people realize.

What happened

In October 2025, an unauthorized third party gained access to Substack's systems and exfiltrated user data. Substack did not discover the breach until February 3, 2026, more than four months after the intrusion occurred.

The breach came to light when a threat actor posted a dataset containing approximately 697,313 records on BreachForums, a well-known cybercrime forum. The hacker claimed to have stolen names, email addresses, phone numbers, profile pictures, user IDs, and bios from Substack's systems.

Following the BreachForums post, Substack confirmed the breach and began notifying affected users. CEO Chris Best stated that the company had "fixed the problem" and was "conducting a full investigation." Substack emphasized that credit card numbers, passwords, and financial information were not accessed.

The company also stated it had "no evidence that this information is being misused," though it advised users to remain cautious of suspicious communications. Given that the data was already posted publicly on a cybercrime forum, that assurance rings hollow.

What data was exposed

The leaked dataset reportedly contains:

  • Email addresses - The primary email associated with your Substack account
  • Phone numbers - For users who added a phone number to their profile
  • Names - Display names and profile information
  • Profile pictures - Links to user profile images
  • User IDs - Internal Substack account identifiers
  • Bios - User-written profile descriptions
  • Internal metadata - Unspecified platform metadata about accounts
  • Newsletter subscription data - Which publications you subscribe to

Substack confirmed that passwords, credit card numbers, and financial information were not stolen.

Why "passwords weren't exposed" doesn't mean you're safe

When companies announce a breach, they often lead with what was not stolen to minimize the perceived severity. Substack's emphasis on passwords being safe is technically accurate but dangerously misleading.

Here is why an email-plus-phone-number leak is a serious threat.

SIM swap attacks

A SIM swap attack is when a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they can intercept SMS verification codes sent to your phone, gaining access to any account that uses SMS-based two-factor authentication.

To execute a SIM swap, an attacker needs:

  1. Your phone number (now leaked)
  2. Your name (now leaked)
  3. Some personal details for social engineering (your email, bio, and metadata provide these)

With the Substack dataset, attackers have everything they need to attempt SIM swaps against 700,000 people. If any of those people use SMS-based two-factor authentication on their bank, email, or social media accounts, those accounts are now at elevated risk.

Targeted phishing

Knowing someone's email, name, phone number, and which newsletters they subscribe to gives attackers everything they need for highly convincing phishing campaigns:

  • "Your Substack subscription to [newsletter name] has been suspended. Verify your account here."
  • "Important security update from Substack regarding your account [name]. Click to confirm your identity."
  • "Hey [name], I'm the author of [newsletter they subscribe to]. I'm moving platforms and need you to re-subscribe at this link."

These messages would look legitimate because the attacker has real data to personalize them.

Credential stuffing

While Substack passwords were not in this breach, the leaked email addresses will be cross-referenced against other breached password databases. If you used the same email address on Substack that you use elsewhere, and any of those other accounts have been breached with passwords, attackers now have a fresh target list.

What to do right now

1. Change passwords on accounts tied to your Substack email

Even though Substack passwords were not stolen, you should change the password for:

  • Your email account (Gmail, Outlook, ProtonMail, etc.) - This is your most critical account because email resets can unlock almost everything else
  • Any account that uses the same email address as your Substack account
  • Financial accounts linked to that email
  • Social media accounts linked to that email or phone number

If you have many accounts to update, Dosel automates the process. The AI agent handles navigating each site's password change flow while keeping everything local on your Mac.

2. Switch from SMS to app-based two-factor authentication

This is the most important step you can take after a phone number leak. If any of your accounts use SMS codes for two-factor authentication, switch to an authenticator app immediately:

  • Google Authenticator or Authy for most accounts
  • Hardware security keys (like YubiKey) for your most critical accounts

Accounts to prioritize for this switch:

  • Email (Gmail, Outlook)
  • Banking and financial services
  • Social media (Twitter/X, Instagram, Facebook)
  • Cloud storage (Google Drive, Dropbox, iCloud)
  • Password manager (if it uses SMS as a 2FA option)

3. Contact your mobile carrier

Call your phone carrier and:

  • Add a PIN or passcode to your account that is required for any changes
  • Ask about their SIM swap protection features
  • Enable port freeze or number lock if available
  • Ask to be notified of any SIM change requests

This takes five minutes and dramatically reduces SIM swap risk.

4. Watch for phishing

For the next several months, be suspicious of:

  • Any email claiming to be from Substack, especially ones asking you to click links
  • Messages referencing newsletters you subscribe to
  • Texts or calls to the phone number associated with your account
  • Emails asking you to "verify" or "confirm" account details

When in doubt, go directly to substack.com rather than clicking any link in an email.

The 4-month detection gap problem

Perhaps the most concerning aspect of this breach is the timeline. The intrusion happened in October 2025. Substack did not discover it until February 3, 2026. That is a 4-month window during which attackers had access to the data while nobody knew.

This detection gap is disturbingly common. According to IBM's 2025 Cost of a Data Breach Report, the average time to identify a breach is 197 days. Nearly 7 months.

During those 4 months:

  • Attackers could have been using the data for targeted phishing campaigns
  • SIM swap attempts could have already been made
  • The data could have been sold privately before the public BreachForums post
  • Credential stuffing attacks using the leaked emails could have already compromised other accounts

This is why security experts recommend proactive credential rotation on a regular schedule, not just in response to known breaches. By the time a breach is announced, the data may have been in criminal hands for months.

When you think about how many services you use and how long detection takes, the math is simple: at any given moment, some of your data is likely already compromised and you do not know it yet. Regular password rotation is not paranoia. It is pragmatism.

Automate your password changes

After any breach, the standard advice is "change your passwords." The problem is that nobody wants to spend an afternoon navigating password change forms on 30 different websites.

This is exactly why Dosel exists.

  1. Import your accounts from Chrome, Safari, 1Password, LastPass, or any CSV export
  2. Select which accounts to rotate (start with email, banking, and social media)
  3. The AI agent does the work by navigating each site's password change flow automatically
  4. Export your new credentials back to your preferred password manager

The entire process runs locally on your Mac. Your passwords never leave your device. Zero-knowledge architecture means nobody else, including us, can access your credentials.

Download Dosel for free and start changing your passwords now, not next week when you "get around to it." The free tier includes 5 password changes per month. For unlimited changes, our Pro plan is $2.99/month.

The Substack breach is a reminder that even when passwords are not directly stolen, your accounts are not safe. Protect them before someone else tests whether they can get in.

Sources

Need help rotating your passwords? Download Dosel or reach out at hello@dosel.app.

Protect your passwords with AI-powered automation.

Download Dosel