Substack Data Breach: What Happened & How to Protect Yourself [2025]

Imagine opening your email and finding a message from a company you trust, informing you that your personal data got stolen. That's exactly what happened to hundreds of thousands of Substack users in early February 2026, when the newsletter platform's CEO revealed a security breach that occurred four months earlier. Here's the kicker: the company didn't even know about it until February 3, 2026, which means attackers had unrestricted access to user data for over three months without anyone catching it.

This breach matters because Substack isn't some obscure platform—it's where independent journalists, researchers, and creators earn money by publishing newsletters to millions of readers. When a platform at that scale gets compromised, it raises serious questions about digital security, corporate accountability, and what happens when detection takes longer than the actual attack.

Let's break down exactly what happened, what data was exposed, what Substack's doing about it, and most importantly, what you need to do to protect yourself.

TL; DR

Breach Details: Approximately 697,313 user records were scraped in October 2025, with Substack only discovering the incident on February 3, 2026
Exposed Data: Email addresses and phone numbers were stolen; credit card numbers, passwords, and financial information were not compromised
Detection Gap: Attackers had over 3 months of undetected access before the company realized what happened
Current Status: Substack has patched the security vulnerabilities and is conducting a full investigation
Protective Action: Affected users should monitor for phishing attempts and consider changing passwords even though passwords weren't directly stolen

The Timeline: October Hack, February Discovery

The breach itself happened in October 2025. Think of it as a silent alarm that nobody heard until months later. An unauthorized third party gained access to Substack's systems and extracted user data without setting off any internal alerts. For 126 days, the attackers could freely scrape information while Substack's security team remained completely unaware.

Substack CEO Chris Best publicly disclosed the breach on February 3, 2026, when the company finally became aware of the incident. He posted a message on Bluesky explaining the situation. What's particularly noteworthy here is that the company didn't discover the breach through their own security monitoring—they found out because someone reported it to them, or the data appeared somewhere publicly. This gap between the attack and discovery reveals a critical vulnerability in Substack's infrastructure monitoring.

The company sent notification emails to affected users, which is legally required under data breach notification laws in all 50 US states. By February 5, 2026, notifications were being sent to approximately 697,313 compromised accounts. That number might sound smaller than major breaches affecting millions, but it still represents a significant security failure for a platform with millions of active accounts.

The four-month detection lag is the real story here. Most major companies have monitoring systems that detect unusual data access patterns within hours or days. The fact that Substack took 126 days to notice suggests their logging and alerting infrastructure might not be as robust as a platform handling sensitive creator and subscriber data should be.

DID YOU KNOW: The average time to detect a data breach is **201 days**, according to IBM's 2025 Data Breach Report. Substack's 126-day detection window is actually faster than the average, but still represents a significant security blind spot.

What Data Was Actually Stolen

Let's be clear about what attackers got their hands on: email addresses and phone numbers. These are the two pieces of information Substack confirmed were exposed. This is bad, but it could have been much worse.

What attackers didn't get is equally important. Credit card numbers: untouched. Passwords: protected. Financial information: safe. Social Security numbers: not exposed. The fact that payment data remained secure is significant, especially because Substack handles creator payouts and subscription payments. If credit card information had been leaked, we'd be looking at potential fraud liability and compliance violations under PCI DSS (Payment Card Industry Data Security Standard).

Substack also mentioned that some internal metadata was included in the hack. That's vague corporate speak for data about data—things like technical logs, system configurations, or internal documentation. Metadata can be valuable to sophisticated attackers because it reveals how systems work, but it's less immediately actionable than directly stolen customer information.

The distinction matters because it affects your immediate risk level. Email addresses and phone numbers are valuable for phishing attacks and social engineering, but they won't let attackers drain your bank account or file tax returns in your name.

QUICK TIP: Check if your email was exposed using free tools like Have I Been Pwned. Even if you weren't notified by Substack, you can verify your status independently.

Why Phone Numbers Are Particularly Valuable to Attackers

When someone steals an email address, that's annoying. When they steal a phone number paired with an email address, that's dangerous. Here's why phone numbers carry disproportionate risk in modern security.

Your phone number is used for SMS-based two-factor authentication (2FA) on dozens of accounts. Banks use it. Email providers use it. Cryptocurrency exchanges use it. If an attacker has your phone number and email, they can attempt SIM swap attacks, where they convince your carrier to transfer your number to a device they control. From there, they can reset passwords on your most important accounts by intercepting the SMS codes sent during password recovery.

Phone numbers are also more stable than email addresses. You might change your email address, but you rarely change your phone number. This makes phone numbers valuable for long-term targeting. An attacker could add your number to a targeted phishing list and hit you with malicious texts months or years later when you've forgotten about the breach.

Additionally, the combination of email and phone number creates what's called a "phone book" in the security world—a targeted contact list. Attackers can use this list to conduct wave attacks, sending coordinated phishing attempts across multiple channels to maximize the chance someone will click.

Substack stored these two pieces of information together because they're fundamental to the platform's functionality. But from a data security perspective, storing high-value targets like email and phone numbers without strong encryption creates a single point of failure. If an attacker breaches one system and finds these paired together, they've hit the jackpot.

SIM Swap Attack: A fraud technique where attackers convince a mobile carrier to transfer a victim's phone number to a new SIM card in the attacker's possession, allowing them to intercept SMS messages and bypass two-factor authentication.

The Security Vulnerability: How Did This Happen

Substack hasn't released the technical details of the breach, but the attack method was data scraping. That means an attacker found an endpoint (URL or API) that returned user data and repeatedly queried it to extract all available information. Scraping is one of the most basic attack techniques, which makes this breach particularly embarrassing for a company handling sensitive creator information.

Data scraping typically happens when:

API endpoints lack rate limiting: The attacker can make unlimited requests without being throttled or blocked.

Authentication isn't properly validated: The endpoint doesn't verify that the person requesting data is authorized to access it, or verification is weak enough to bypass.

No data access logging exists: The company doesn't track who's accessing what data, so the scraping goes unnoticed for months.

Pagination isn't controlled: An attacker can iterate through user IDs sequentially (user 1, user 2, user 3, etc.) to fetch every record.

Substack appears to have had at least one of these vulnerabilities. The fact that they didn't detect the attack for 126 days strongly suggests a logging and monitoring gap. Modern cloud infrastructure from AWS, Google Cloud, or Azure can generate alerts within minutes when someone accesses unusual amounts of data. If Substack wasn't receiving these alerts, it means they either weren't configured to catch this type of access pattern, or the alerts existed but weren't being monitored.

CEO Chris Best stated that "security vulnerabilities have now been addressed" and the company is "taking steps to improve our systems and processes to prevent this type of issue from happening in the future." Translation: they patched something, but the details of what was patched remain undisclosed.

QUICK TIP: When a company says they've "addressed security vulnerabilities" without specifics, ask them directly for details. Request a security incident report. Companies should be transparent about how they were compromised and what they fixed.

The Legal Requirement: Why Companies Must Tell You

Substack is legally required to notify affected users about this breach. This isn't optional. All 50 US states, the District of Columbia, Puerto Rico, Guam, and the Virgin Islands have enacted data breach notification laws. These laws vary by state, but they all require companies to notify individuals when their personal information is compromised.

Under most state laws, notification must happen "without unreasonable delay" and "in the most expedient time possible and without unreasonable delay." Some states have specific timelines. California requires notification within 28 days of confirmed discovery. New York has a 72-hour requirement. Massachusetts requires notification without unreasonable delay.

There's also the GDPR (General Data Protection Regulation) to consider, which applies to any company processing data of European residents. GDPR requires that companies notify relevant authorities within 72 hours of becoming aware of a breach, and notify affected individuals "without undue delay."

What constitutes "without undue delay" is subjective, but Substack waited from February 3 (when they discovered the breach) until February 5 to notify users. That's two days, which is reasonable and falls within legal requirements. However, the 126-day gap between the actual breach (October 2025) and discovery (February 2026) is problematic from a security standpoint, even if it doesn't violate notification laws.

Companies can face significant penalties for failing to notify users. In many states, penalties start at

100 to

1,000 per user per violation. For a breach affecting nearly 700,000 users, a negligent company could face liability in the hundreds of millions of dollars. This creates strong financial incentive for companies to actually follow notification laws.

Interestingly, some companies use notification as a weapon in their favor. "We're notifying you because we care about transparency," they'll say in a press release. It's true, but transparency laws required them to notify you. Don't confuse legal compliance with good faith.

DID YOU KNOW: The costliest data breaches include not just regulatory fines, but also lawsuits from affected users. The average cost of a data breach in 2025 is **$4.45 million**, according to IBM's annual report.

What "No Evidence of Misuse" Actually Means

Chris Best wrote: "There is no evidence that any of the stolen data is being 'misused.'" Notice the quotes around 'misused.' That's careful corporate wording, and it matters.

"No evidence of misuse" doesn't mean the data won't be misused in the future. It means that as of the time of writing, Substack hadn't found the stolen data being sold, used for phishing, or appearing in other breaches. But that doesn't mean attackers aren't planning to use it. It just means they haven't detected it yet, or the misuse hasn't started.

Data theft and data misuse are separate events on a timeline. Attack happens (October). Data sits in attacker's possession for months. Company discovers breach (February). Company monitors dark web for leaked data (ongoing). Months later, attacker sells data to another criminal (possible future event). Six months after that, phishing attacks start using the stolen data (another possible future event).

Substack can only claim "no evidence of misuse" for the present moment. They can't guarantee future safety. This is why they advise users to "be wary of suspicious emails or text messages they may receive." They know the data is out there, and they can't predict how attackers will eventually use it.

What responsible companies do at this point is commit to monitoring. They should search dark web marketplaces, monitor underground forums, set up alerts for when this data appears in new breaches, and provide affected users with free credit monitoring or identity theft protection. As of the public announcements, Substack hasn't clearly specified whether they're offering these services.

QUICK TIP: Sign up for identity theft protection services for free using services like Life Lock or Experian. Many credit card companies offer these services to customers. Don't rely on the breached company's monitoring alone.

The Phishing Risk: What Attackers Will Do Next

With 697,313 verified email addresses and phone numbers, attackers now have a high-quality phishing list. Phishing is the most common attack vector in the world—it accounts for about 3.4 billion spam emails daily, with roughly one in every 99 emails being a phishing attempt.

Here's how attackers will likely use this Substack data. They'll craft convincing emails pretending to be from Substack, saying something like: "Confirm your identity due to unusual account activity" or "Update your payment information immediately." Links in these emails will direct to fake Substack login pages that look identical to the real thing. When someone enters their credentials, the attacker captures the username and password.

They might also use the phone numbers for text-based phishing (smishing). A text message saying: "Your Substack account was compromised. Reset your password here: [malicious link]" will fool many users, especially if they were just reading about the breach.

The sophisticated play is cross-platform targeting. Attackers will use the email address to target someone's Gmail account, their Microsoft account, their Amazon account, their bank's account. They'll send recovery emails to the phone number. With enough targeting across multiple services, they might successfully compromise one account, giving them a foothold into someone's digital life.

This is why Substack's vague assurance that passwords weren't stolen provides limited comfort. If an attacker has your email and phone, they can reset passwords through recovery flows without ever needing the original password.

Phishing: A social engineering attack where attackers impersonate trusted entities (companies, friends, authorities) via email, text, or phone to trick people into revealing sensitive information or clicking malicious links.

Substack's Response: What the Company Is Doing

Substack's public response has been relatively straightforward. CEO Chris Best acknowledged the breach, apologized to users, and stated that the company is "conducting a full investigation" and "taking steps to improve our systems and processes."

Beyond those vague statements, specific details about remediation are limited. The company has presumably:

Patched the vulnerable endpoint or API that allowed scraping. This prevents future similar attacks through the same vector.

Implemented rate limiting on API endpoints so that someone can't make millions of requests in a short period without being blocked.

Improved monitoring and alerting to detect similar access patterns in the future. If someone starts trying to scrape user data again, the system should trigger an alert within minutes.

Reviewed access logs to understand how the attacker accessed the system. Did they use credentials? Did they exploit a specific vulnerability? How did they authenticate?

Enhanced authentication validation to ensure that requests for user data are verified and authorized properly.

What Substack hasn't announced (yet) is whether they're offering credit monitoring, identity theft protection, or other compensation to affected users. They haven't disclosed a security audit or a third-party assessment of their infrastructure. They haven't published a detailed incident report explaining the attack chain.

Compare this to how major companies like Microsoft or Apple handle breaches. They typically release detailed security advisories explaining the vulnerability, the versions affected, the fixes deployed, and the steps users should take. Substack's communications have been more corporate: minimum required disclosure, apology, and reassurance.

QUICK TIP: If a company you use suffers a breach, demand transparency. Email the CEO. Tag them on social media. Request details about what was compromised and how. Public pressure often leads to better disclosure than legal requirements alone would produce.

How to Protect Yourself: Immediate Actions

If your email or phone was part of the Substack breach, here are concrete steps to take right now:

Change your Substack password to something strong and unique. Don't reuse this password anywhere else. Use a password manager like 1Password, Bitwarden, or LastPass to generate a 16+ character password with mixed case, numbers, and symbols.

Enable two-factor authentication (2FA) on your Substack account if you haven't already. Use an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) rather than SMS-based 2FA when possible. SMS can be compromised through SIM swaps, but authenticator apps are more secure.

Review your Substack account settings for any suspicious activity. Check if anyone accessed your account from unusual locations or times. Look at connected apps and integrations—remove anything you don't recognize.

Monitor your other accounts that share the same email address or phone number. This includes your email provider, social media, banking apps, and anywhere you have financial information. Look for login attempts, password reset notifications, or confirmation codes you didn't request.

Be extremely suspicious of unsolicited messages asking you to "verify your identity" or "confirm your payment information." These are almost certainly phishing attempts. Never click links in emails or texts—instead, visit the official website directly by typing the URL yourself.

Consider changing passwords on critical accounts like email, banking, and cryptocurrency exchanges. Even though Substack passwords weren't stolen directly, attackers will likely attempt account takeovers using your email and phone number to trigger password resets.

Place a fraud alert with one of the three major credit bureaus (Equifax, Experian, or TransUnion) if you're concerned about identity theft. This makes it harder for attackers to open credit accounts in your name because lenders will have to verify your identity before proceeding.

Freeze your credit if you want maximum protection against identity theft. This prevents anyone—including you—from opening new credit accounts until you temporarily unfreeze it. It's free and takes about 10 minutes per bureau.

DID YOU KNOW: A **credit freeze** is more effective than a fraud alert for preventing identity theft. The freeze completely locks your credit report, preventing any new accounts from being opened in your name without your explicit consent.

Long-Term Protection: What to Do Over the Next Months

Beyond immediate actions, you'll want to implement longer-term protections as this breach becomes part of your security history.

Subscribe to credit monitoring for at least one year, ideally longer. Many services like Experian, Equifax, and TransUnion offer free credit monitoring specifically for breach victims. You can also use services like Credit Karma or AnnualCreditReport.com to check your credit for free.

Monitor the dark web to see if your data appears in stolen data marketplaces. Services like Have I Been Pwned allow you to sign up for alerts if your email address appears in future breaches. Some password managers and identity theft protection services also offer dark web monitoring.

Be extra cautious with Substack communications going forward. The company's support team might email you with account questions or security notices. Verify these by logging into Substack directly rather than clicking links in emails. Attackers might impersonate Substack support to maintain access to compromised accounts.

Review your Substack subscriptions and consider which newsletters are worth continuing. If you're a paying subscriber, make sure your updated payment information is correct and that you're not seeing unauthorized charges.

Report phishing attempts immediately. If you receive a suspicious email or text claiming to be from Substack, report it to Substack's security team and to the Federal Trade Commission (FTC) at reportphishing.org. These reports help track phishing campaigns and can lead to law enforcement action.

Share your experience with others who use Substack. Social pressure encourages companies to prioritize security. If you know writers or readers on the platform, let them know about the breach and the protective steps they should take.

QUICK TIP: Set a calendar reminder for one year from now to review your credit monitoring status. Most free credit monitoring offers expire after one year, and you'll need to decide whether to continue paying for services.

The Bigger Picture: Why This Breach Matters Beyond Substack

This breach reveals something important about digital security in 2025: even relatively small, focused companies handling high-value data can have significant security gaps. Substack isn't a massive tech giant with unlimited security budgets, but it is a trusted platform where creators earn livelihoods and readers access important information.

The fact that scraped data went undetected for 126 days suggests that Substack either:

Doesn't have adequate logging infrastructure in place
Has logging but doesn't analyze it for security events
Has analysis but doesn't have alerting when unusual patterns appear
Has alerting but nobody is monitoring the alerts
Has monitoring but lacks the expertise to recognize security incidents

Any of these is a serious problem. Together, they paint a picture of a company that grew quickly but didn't invest proportionally in security infrastructure. This is a common pattern among startups and fast-growing companies. Security feels expensive when you're focused on product development and user acquisition. Until a breach happens, the investment seems optional.

But from a user perspective, this breach also shows why diversifying your digital presence matters. If you're heavily invested in a single platform—relying entirely on Substack for your creator income, for example—you're exposed to that platform's security vulnerabilities. The responsible approach is to maintain multiple distribution channels and email lists outside of any single platform.

It also reinforces why password uniqueness is non-negotiable. Yes, Substack passwords weren't stolen in this breach. But if someone uses the same password on Substack and everywhere else, and Substack had a password-stealing vulnerability (which some companies have), all their accounts would be compromised. Using a password manager that generates unique, strong passwords for every service is essential.

DID YOU KNOW: The average person has **168 online accounts** but remembers only **4** passwords. Using a password manager is no longer optional—it's essential for security.

What Regulators and Law Enforcement Are Likely Doing

Behind the scenes, regulatory agencies and law enforcement are probably investigating this breach. Here's what that process typically looks like.

State attorneys general might launch investigations into whether Substack violated state data breach notification laws. They'll review whether the company notified users in the required timeframe, whether notification was adequately detailed, and whether the company's security practices were reasonable for the type of data handled.

The Federal Trade Commission (FTC) could launch an investigation into whether Substack engaged in unfair or deceptive practices by failing to maintain adequate security for user data. The FTC has broad authority to investigate companies for security failures and can impose significant fines and operational restrictions.

If the breach involved any healthcare or financial data, additional federal agencies might get involved. The Office for Civil Rights (OCR) investigates HIPAA violations. The SEC investigates financial data breaches. Fin CEN might investigate if there's any connection to money laundering or terrorism financing.

Law enforcement agencies might attempt to trace the attackers and bring criminal charges if they're in the US jurisdiction. However, most data breaches are perpetrated by internationally-based criminals, which makes prosecution difficult. Countries like Russia, China, and India have weak extradition treaties with the US, so criminal prosecution rarely results.

In practice, regulatory investigations move slowly. It might be 6-12 months before we see regulatory responses. Criminal investigation might take years, if it happens at all. Users often see faster responses through private lawsuits.

Data Breach Litigation: Civil lawsuits filed by affected users against companies that fail to protect personal data. These lawsuits typically allege negligence, breach of contract, or violations of state consumer protection laws, and often result in class action settlements.

Class Action Lawsuits: What Might Happen

Inevitably, lawyers will file class action lawsuits on behalf of Substack users affected by this breach. This has happened after almost every major data breach in the last decade.

Class action lawsuits against companies for data breaches typically claim:

Negligence: The company failed to implement adequate security measures that would be standard for an organization handling sensitive data.

Breach of contract: The company's terms of service promised to protect user data, and the breach violated that promise.

Violation of consumer protection laws: Various state laws prohibit deceptive practices, which can include failing to disclose security vulnerabilities.

Invasion of privacy: Users had a reasonable expectation of privacy, which was violated by the security failure.

Historically, data breach class actions have settled for tens of millions of dollars, though the actual money received by affected users is often much smaller. Here's how it typically works:

Lawyers negotiate a settlement with the company. The settlement includes a payout pool (say, $50 million). Lawyers' fees come out first (often 25-30% of the settlement). Then administrative costs come out (claim processing, notices, etc.). What's left is divided among affected users, usually proportionally based on the class member's damages.

In a breach affecting nearly 700,000 people, if the settlement is

50 million after legal fees and administrative costs, that works out to about

70 per affected user. Some users might receive more if they can document actual damages (identity theft, fraudulent accounts, etc.). Many users never claim their settlement and the money goes to cy pres awards (charitable donations related to data privacy).

For Substack, a settlement of $50-200 million is plausible given the breach size and the fact that they stored sensitive contact data without adequate protection. The company might also be required to implement court-monitored security improvements and undergo regular security audits.

QUICK TIP: When you receive a notice about a data breach settlement, claim your award. Many people delete these notices or assume they're scams. They're legitimate and represent money you're entitled to from the lawsuit.

Lessons for Other Companies Handling Sensitive Data

While Substack specifically needs to improve its security posture, this breach offers lessons for any company collecting and storing personal information. The key lessons are:

Invest in security monitoring before you need it. Substack's 126-day detection window suggests they lacked adequate monitoring. Companies should implement real-time alerting for unusual data access patterns, API call spikes, and suspicious authentication attempts. This costs money, but it's far cheaper than a breach remediation and lawsuits.

Implement rate limiting on all APIs and data endpoints. This makes scraping attacks dramatically harder. If someone tries to request 100,000 user records in an hour, the system should automatically block them after the first 100 requests.

Require authentication and authorization for all data access. Never allow an endpoint to return user data without verifying that the requester is authorized to access it. Many breaches happen because someone misconfigures an API or forgets to add authentication.

Encrypt sensitive data at rest and in transit. Even if attackers breach the system, they shouldn't be able to read email addresses and phone numbers without decryption keys.

Limit what data is accessible through any single endpoint. If possible, partition data so that no single breach exposes the entire user database. Microservices architecture helps with this.

Maintain detailed audit logs of all data access. When a breach is discovered, forensics teams can review logs to understand exactly what was accessed, when it was accessed, and by whom. This information is crucial for understanding breach scope and preventing similar attacks.

Conduct regular security audits and penetration testing. Hire external security firms to test your systems and find vulnerabilities before attackers do. This is especially important for companies handling financial or personal data.

Have an incident response plan in place. Before you have a breach, write down who's responsible for what, who needs to be notified, how long you have to notify users, and what steps you'll take to remediate. Substack's response was relatively fast (February 3-5), which suggests they at least had a basic incident plan.

FAQ

What is a data breach notification law?

Data breach notification laws are state and federal statutes that require companies to notify individuals when their personal information is compromised in a security breach. All 50 US states, the District of Columbia, Puerto Rico, Guam, and the Virgin Islands have enacted these laws. Notification must generally happen without unreasonable delay and in the most expedient time possible. Some states specify exact timelines (California requires 28 days, New York requires 72 hours). These laws are enforced by state attorneys general, and companies that fail to notify users can face significant fines and civil liability.

How can I tell if my personal data was exposed in a breach?

You can check if your email address has appeared in known breaches by visiting Have I Been Pwned and entering your email. You can also sign up for alerts on the same site to be notified if your email appears in future breaches. Additionally, breached companies are legally required to notify affected individuals via email or mail, so watch for official notification messages. Be cautious of email phishing attempts that pretend to be breach notifications—verify by logging into the company's website directly rather than clicking links in emails.

What is a SIM swap attack and how does it use phone number data?

A SIM swap attack (also called SIM jacking) occurs when an attacker contacts your mobile carrier and convinces them to transfer your phone number to a new SIM card under the attacker's control. Once they have your number, they can intercept SMS messages, including two-factor authentication codes used to reset passwords on your email, banking, and social media accounts. This is why stolen phone numbers are valuable to criminals. If your phone number was exposed in the Substack breach, watch for suspicious login attempts on your email and important accounts, and consider using authenticator apps (which can't be intercepted via SMS) instead of SMS-based two-factor authentication.

What should I do immediately after learning my data was in a breach?

Immediate steps include: changing your password on the breached service to a strong, unique password; enabling two-factor authentication if available; checking your account activity for suspicious logins; reviewing connected apps and integrations; monitoring other accounts that share the same email or phone; being suspicious of unsolicited messages; and considering placing a fraud alert or freezing your credit with credit bureaus. Do not click links in emails or texts asking you to verify your identity—instead, visit official websites directly. If you're concerned about identity theft, sign up for credit monitoring services (many are free for breach victims for one year).

How much personal data do companies need to protect under GDPR and similar laws?

Under GDPR (which applies to any company handling data of European residents) and similar laws, companies must implement security measures appropriate to the sensitivity of the data. These measures should include encryption, access controls, regular security testing, incident response plans, and monitoring systems. The standard is based on "technical and organizational measures." For highly sensitive data like financial information, health records, or government IDs, stronger security is required than for less sensitive data. Companies must be able to demonstrate that their security measures are reasonable and proportionate to the risk. If Substack's security measures are deemed inadequate for the type of data collected, they could face GDPR fines up to 4% of annual global revenue or $20 million (whichever is higher).

Will my credit card information be safe if my data was in a breach?

In the Substack breach specifically, credit card information was not exposed because Substack doesn't store full credit card numbers in the system that was breached. The company likely uses a payment processor like Stripe or similar that handles payment information separately from user account data. However, the combination of email address and phone number in the hands of attackers creates fraud risk through other vectors like phishing, SIM swaps, and account takeovers. Even if payment information itself isn't stolen, attackers can use your email and phone to reset passwords and access sensitive accounts. This is why monitoring your accounts and using strong passwords and two-factor authentication are critical.

What is a dark web marketplace and how are stolen data typically sold?

Dark web marketplaces are websites hosted on encrypted networks (typically Tor) where criminals buy and sell illegal goods and services, including stolen data. Databases of exposed personal information are typically sold in bundles on these marketplaces, priced based on the type and size of data. Email and phone number lists might sell for

0.10 to

1 per record, while financial data or government IDs command higher prices. Sellers often verify the quality of stolen data to maintain reputation on these marketplaces. Buyers include spam operators, phishing scammers, identity thieves, and state-sponsored actors. Companies can hire security firms to monitor dark web marketplaces for their stolen data, and services like Have I Been Pwned alert users if their data appears in publicly available breaches. Many stolen data collections never appear on public dark web markets and remain in private use by the attackers.

What should I do if I see phishing attempts using the Substack breach data?

If you receive emails or text messages claiming to be from Substack asking you to verify your identity or update payment information, do not click any links. Instead, report the phishing attempt to Substack's security team (usually security@substack.com or through their website) and to the Federal Trade Commission at reportphishing.org. Save the email header information or screenshot the message. Log into your actual Substack account directly (by typing the URL yourself) to check if there are any real security alerts. Never click links in unsolicited messages, even if they appear to come from trusted companies. These reports help track phishing campaigns and enable law enforcement to take action against the attackers.

How long will it take for regulatory and legal investigations to conclude?

Data breach investigations move at different speeds depending on the agency. Federal Trade Commission (FTC) investigations typically take 6-12 months after initial notification before they issue findings. State attorneys general investigations can take 6-24 months depending on the state and complexity. Criminal investigations by law enforcement (FBI, Secret Service) can take 1-3 years or longer, and often don't result in prosecutions if the attackers are outside US jurisdiction. Class action lawsuits typically settle within 1-2 years, though some cases have dragged on for 3-4 years. In the Substack case, we might see initial FTC action within 6-9 months, class action lawsuits filed within 3-4 months, and settlements negotiated within 18-24 months. However, these are estimates—actual timelines depend on the complexity of the investigation and the resources allocated.

What This Breach Means for Trust in Digital Platforms

The Substack breach is significant not because it's unprecedented—data breaches happen constantly—but because it reveals a gap in the security practices of a company handling sensitive creator and subscriber data. For independent journalists and writers, Substack represents income and livelihood. For readers, it's a primary source of trusted information. When that platform gets compromised, it affects real people's lives.

The 126-day detection window is the most damning aspect. In an era of cloud computing and real-time monitoring, it's inexcusable to not detect 700,000 user records being scraped from your systems for over four months. This suggests gaps in either infrastructure, monitoring, analysis, or incident response—likely all of the above.

What's encouraging is that Substack is being transparent about the breach and informing users. The company could have hidden this indefinitely, but they chose disclosure. They could have minimized the impact, but they didn't claim passwords or financial data were protected when they weren't. This doesn't excuse the security failure, but it shows a baseline of responsibility in response.

Moving forward, affected users should remain vigilant. The 697,313 email addresses and phone numbers are now in criminal marketplaces. Phishing campaigns using this data will continue for years. Identity theft risks persist. But with proper protective measures—strong passwords, two-factor authentication, credit monitoring, and healthy skepticism toward unsolicited messages—users can significantly reduce their personal risk.

For Substack and similar platforms, this breach is a wake-up call. Companies handling personal data must treat security as a core business function, not an afterthought. The cost of security investment is trivial compared to the cost of breach remediation, litigation, and reputation damage. In 2025 and beyond, users should demand transparency about security practices and favor companies that demonstrate serious commitment to data protection.

The question isn't whether the next major platform will have a security breach—it's when. The real differentiator is how quickly they detect it, how honestly they communicate about it, and how seriously they address the underlying vulnerabilities.

Key Takeaways

Substack's 126-day detection gap reveals critical gaps in security monitoring and incident response infrastructure
Email addresses and phone numbers enable phishing attacks and SIM swap fraud, creating long-term identity theft risks
Immediate protective actions include password changes, enabling 2FA, credit monitoring, and credit freezes with bureaus
State data breach notification laws require notification within specific timeframes; Substack complied within 2 days of discovery
Class action lawsuits will likely result in
$50-200M settlements, with affected users receiving$
50-300 each after legal fees