Security experts warn Substack users to brace for phishing attacks after breach
Substack CEO Christ Best confirmed the incident occurred in October 2025
Cybersecurity experts have warned Substack users to be on the lookout for potential phishing scams after the blogging platform suffered a data breach.
In an email distributed to users, CEO Chris Best revealed a “security incident” saw account email addresses, contact numbers, and “other internal metadata” exposed.
Exact details on how the breach unfolded are yet to be disclosed. However, on 3 February, the organization discovered an issue that allowed an unauthorized third-party to “access limited user data.”
A preliminary investigation found the data was first accessed in October 2025, Best added.
“Importantly, credit card numbers, passwords, and financial information were not accessed,” the email reads.
“We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future.”
Substack hasn’t revealed information on the scale of the breach. However, reports from BleepingComputer suggest the incident could have impacted over half a million users.
On Monday 2 February, a threat actor uploaded a database to BreachForums allegedly containing 697,313 stolen records.
Substack users should remain vigilant
Best noted that there is currently no evidence that information exposed in the breach is being misused, but nonetheless warned users to remain vigilant.
“We encourage you to take extra caution with any emails or text messages you receive that may be suspicious,” he said.
That same advice has since been reiterated by cybersecurity experts. Phishing attacks are a common occurrence in the wake of a data breach as cyber criminals look to capitalize on contact information to dupe unsuspecting users.
This information often represents a goldmine for threat actors, according to Jamie Akhtar, CEO of CyberSmart.
“While Substack has stated that sensitive data such as passwords and payment information was not accessed, exposure of contact details like email addresses and phone numbers can still be highly valuable to cyber criminals,” he said.
“This type of data is often used as the foundation for targeted phishing, impersonation attempts, and wider social engineering campaigns.”
Javvad Malik, lead security awareness advocate at KnowBe4, echoed Akhtar’s comments, but noted that the information provided by Substack is limited, which could still leave some users at risk.
“It is a bit light on the details which can help people accurately judge the risk and take concrete action,” he said. The timeline is significant. If the data was accessed in October 2025, but only just disclosed, it's a significant dwell time.”
“That isn't to say there's negligence on part of Substack because detection can be difficult,” Malik added. “But impacted users deserve a clearer explanation of how the breach was identified.”
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Everpure wants you to get your data AI-readyNews With enterprises facing recurring data readiness issues, Everpure wants to streamline the process and deliver AI success
-
Everpure continues data management pivot with new Data Intelligence platform launchNews The move by Everpure aims to help enterprises maximize the use of AI-ready data and break down silos
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
$600bn lost every year to downtime as organizations battle hidden costsNews Disclosure, stock prices, ransoms and fines add up to hundreds of billions as unplanned downtime for large firms shoots up 50% in just two years
-
Beware of emails threatening a code of conduct review
News A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
-
'The latest in a series of public sector data disasters': Cyber experts hit out at Companies House security fiascoNews The incident at Companies House underlines the need for more robust public sector security capabilities
