Full Report
In October 2025, the publishing platform Substack suffered a data breach that was subsequently circulated more widely in February 2026. The breach exposed 663k account holder records containing email addresses along with publicly visible profile information from Substack accounts, such as publication names and bios. A subset of records also included phone numbers.
Analysis Summary
# Incident Report: Substack Data Breach (October 2025)
## Executive Summary
In October 2025, the publishing platform Substack experienced a data breach resulting in the exposure of 663,000 account holder records. The compromise involved the exfiltration of email addresses, publicly visible profile details (names, bios), and in a subset of cases, phone numbers. The sensitive data was subsequently circulated more widely in February 2026.
## Incident Details
- Discovery Date: February 2026 (Date information became widely circulated/publicly referenced, though the breach occurred earlier)
- Incident Date: October 2025
- Affected Organization: Substack
- Sector: Publishing/Technology Platform
- Geography: Not specified (Global platform assumed)
## Timeline of Events
### Initial Access
- Date/Time: October 2025
- Vector: Unknown/Not specified in source material. (Implies a successful exploitation allowing data access).
- Details: The breach occurred, leading to the compromise of account data.
### Lateral Movement
- Details: Not specified in the source material.
### Data Exfiltration/Impact
- Date/Time: Post-October 2025 (Timing of exfiltration unknown)
- Details: Email addresses, publication names, bios, and a subset of phone numbers were stolen.
- Circulation: The stolen data was circulated more widely in February 2026.
### Detection & Response
- Detection: The date of internal detection by Substack is not specified, only the date the breach data began wider circulation (Feb 2026).
- Response Actions: Details on direct organizational response actions (containment, eradication) are not provided in the source material, aside from subsequent recommendations to users (password changes, 2FA).
## Attack Methodology
Based on the context, the primary activity was **Collection** and **Exfiltration** of user account data.
- Initial Access: Unknown.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown, though data access implies some level of unauthorized access was achieved.
- Discovery: Unknown (Likely internal reconnaissance on user database).
- Lateral Movement: Unknown.
- Collection: Account holder records (Email, Public Profile Data, Phone Numbers).
- Exfiltration: Data was successfully removed from the platform environment.
- Impact: Unauthorized disclosure of PII/Account Data.
## Impact Assessment
- Financial: Not available.
- Data Breach: Exposure of 663,100 account holder records. Data included:
- Email Addresses
- Phone Numbers (subset)
- Public Profile Information (Publication Name, Bio)
- Operational: No details on operational disruption were provided.
- Reputational: Exposure of user data leading to public reporting in February 2026.
## Indicators of Compromise
*No specific network artifacts (IPs, URLs, hashes) were provided in the summary source.*
- Behavioral Indicators: Unauthorized bulk access and exfiltration of user database records containing PII/account linkage data.
## Response Actions
*Organizational response actions are not detailed in the source. The article focuses on recommended user actions.*
- User Recommendations:
- Change passwords used on the affected account immediately.
- Enable Two-Factor Authentication (2FA) wherever supported.
## Lessons Learned
- User data (even if ostensibly separated, such as public profiles) was accessible and exfiltrated in bulk.
- There was a significant delay between the compromise (Oct 2025) and the wider circulation of the data (Feb 2026), indicating a potential latent period for detection or confirmation.
## Recommendations
- Strengthen access controls surrounding user databases to prevent unauthorized bulk extraction.
- Review data minimization policies, particularly concerning the storage of phone numbers alongside account identifiers.
- Implement continuous monitoring focused on anomalous data retrieval patterns against user record repositories.
- Accelerate threat detection capabilities to identify large-scale data egress events promptly.