Substack Hacked — What 50 Million Users Need To Know | #hacker


When you think of blogging in 2026, especially in terms of monetization, be that the written word, podcasting or video-based, then Substack has to be front and center of your mind. The subscription-based platform has, it said, some 50 million active subscribers, including 5 million paid subscriptions. Substack has also now said it has been hacked. Here’s what you need to know and do.

ForbesNew Chrome Browser Security Alert — Restart Now, Google Says

The Substack Hack — What We Know So Far

Substack users have been receiving emails from CEO Chris Best this week. That’s not unusual for a hip online media organization, with emails from the boss providing a personal touch to make subscribers feel special. Except that the users who got the Feb. 4 email would have felt far from that. The email, you see, was to inform them that a hacker had accessed the personal data of some users, and that they might be affected.

“On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission,” Best confirmed in the email, “including email addresses, phone numbers, and other internal metadata.”

The security incident itself apparently occurred way back in October 2025, which does rather beg the question of why it has only now come to the attention of the Substack security team. I contacted Substack for a statement and was referred to the email itself, in which Best said the company is conducting a full investigation, and is “taking steps to improve our systems and processes to prevent this type of issue from happening in the future.” Best also confirmed that “credit card numbers, passwords, and financial information were not accessed.”

ForbesMicrosoft Windows Disappearing Password Update Confirmed

“Transparent breach notifications should always be commended,” Javvad Malik, lead security awareness advocate at KnowBe4, told me, adding that “it is a bit light on the details, which can help people accurately judge the risk and take concrete action.” As Malik pointed out, email addresses and phone numbers are enough for targeted phishing, SIM-swap attempts or doxxing. “Even if passwords weren’t accessed,” Malik warned, “attackers don’t need passwords if they can socially engineer users.”

What’s more, and to my point of how long it took to detect the hack, Malik said, “if the data was accessed in October 2025, but only just disclosed, it’s a significant dwell time,” and “impacted users deserve a clearer explanation of how the breach was identified and which monitoring controls failed to detect it initially, and most importantly, what’s changing as a result.”

Substack has advised that its users “take extra caution with any emails or text messages you receive that may be suspicious,” and confirmed that the security issue that enabled the access has since been fixed. However, it is not yet known what that issue was or, indeed, how many users have been affected by it.



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW