Data leak at Substack: Dataset with nearly 700,000 entries online
Cybercriminals have exfiltrated data from Substack. The dataset comprises around 700,000 entries and is available online.
(Image: heise online / dmk)
Criminals were able to exfiltrate data from numerous users on Substack. The company has since acknowledged the IT security incident.
The platform Substack offers interested parties the opportunity to provide journalistic content, blogs, newsletters, or podcasts and, if necessary, to monetize them through subscriptions. CEO Chris Best has now written to customers in a mass email informing them about the IT incident. “I am writing to let you know about a security incident that resulted in your email address and phone number associated with your Substack account being shared without your consent,” Best's email begins.
IT Incident Early February
According to the company, Substack found evidence of a problem with its IT systems on February 3, 2026, which allowed unauthorized third parties limited access to user data. This affected email addresses, phone numbers, and other internal metadata; credit card numbers, passwords, and financial information were not accessed.
“We have resolved the issue with our systems that allowed this to happen. We are conducting a full investigation and taking steps to improve our processes and systems to prevent this type of issue from happening again in the future,” Best continued. “We have no indication that this information is being misused, but we recommend that you exercise extra caution with any emails or text messages that seem suspicious.” Best concluded with the words: “This is really frustrating. I'm sorry. We will work hard to ensure this doesn't happen again.”
Videos by heise
The dataset is already circulating in the digital underground. The file is 697,293 lines long, and the data appears to have been obtained through scraping. In this process, perpetrators mass-extract information that is usually publicly visible in individual accounts and compile it into a large database. Malicious actors can then use this for more targeted and authentic-looking phishing, as they can work with the information that the listed victims have a Substack account.
The dataset is expected to become accessible and searchable on Troy Hunt's Have-I-Been-Pwned project shortly. About two years ago, Substack caused a stir because the company refused to delete Nazi content. Shortly after the matter gained more attention, Substack eventually relented-- at least a little.
(dmk)
