Security experts warn Substack users to brace for phishing attacks after breach

Cybersecurity experts have warned Substack users to be on the lookout for potential phishing scams after the blogging platform suffered a data breach.

In an email distributed to users, CEO Chris Best revealed a “security incident” saw account email addresses, contact numbers, and “other internal metadata” exposed.

Exact details on how the breach unfolded are yet to be disclosed. However, on 3 February, the organization discovered an issue that allowed an unauthorized third-party to “access limited user data.”

A preliminary investigation found the data was first accessed in October 2025, Best added.

“Importantly, credit card numbers, passwords, and financial information were not accessed,” the email reads.

“We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future.”

Substack hasn’t revealed information on the scale of the breach. However, reports from BleepingComputer suggest the incident could have impacted over half a million users.

On Monday 2 February, a threat actor uploaded a database to BreachForums allegedly containing 697,313 stolen records.

Substack users should remain vigilant

Best noted that there is currently no evidence that information exposed in the breach is being misused, but nonetheless warned users to remain vigilant.

“We encourage you to take extra caution with any emails or text messages you receive that may be suspicious,” he said.

That same advice has since been reiterated by cybersecurity experts. Phishing attacks are a common occurrence in the wake of a data breach as cyber criminals look to capitalize on contact information to dupe unsuspecting users.

This information often represents a goldmine for threat actors, according to Jamie Akhtar, CEO of CyberSmart.

“While Substack has stated that sensitive data such as passwords and payment information was not accessed, exposure of contact details like email addresses and phone numbers can still be highly valuable to cyber criminals,” he said.

“This type of data is often used as the foundation for targeted phishing, impersonation attempts, and wider social engineering campaigns.”

Javvad Malik, lead security awareness advocate at KnowBe4, echoed Akhtar’s comments, but noted that the information provided by Substack is limited, which could still leave some users at risk.

“It is a bit light on the details which can help people accurately judge the risk and take concrete action,” he said. The timeline is significant. If the data was accessed in October 2025, but only just disclosed, it's a significant dwell time.”

“That isn't to say there's negligence on part of Substack because detection can be difficult,” Malik added. “But impacted users deserve a clearer explanation of how the breach was identified.”

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.