Ethical Hacking News
Substack, a popular platform for writers to monetize their content through paid subscriptions, has admitted to a security breach that exposed user contact details months before the company even knew about it. The breach highlights the importance of online security and trust in today's digital age.
Substack suffered a security breach that exposed user contact details months before the company was aware of it. The breach involved unauthorized access to limited user data, including email addresses and internal account metadata. The compromised information included email addresses, phone numbers, and profile images, but not passwords or financial data. Substack attributes the breach to an "unauthorized third-party" attack and has since patched the vulnerability. The company's response to the breach is notable for its candor and apologetic tone, demonstrating a commitment to transparency and user protection. The breach highlights the importance of online security and trust, emphasizing the need for users to remain vigilant and take proactive steps to protect their personal data. Even well-established companies can fall victim to security breaches, highlighting the need for continuous monitoring and regular security assessments.
Substack, a popular platform for writers to monetize their content through paid subscriptions, has admitted to a security breach that exposed user contact details months before the company even knew about it. The breach highlights the importance of online security and trust in today's digital age, where sensitive information can be easily accessed by malicious actors.
According to a recent email sent by Substack CEO Chris Best to affected users, an unauthorized third party accessed limited user data during October 2025, specifically email addresses and internal account metadata. The incident was not detected until February 3, when Substack reported that it had uncovered evidence that its systems had been compromised.
The exposed information includes email addresses, phone numbers, and profile images, but fortunately, passwords, credit card numbers, and financial data were not touched. Substack maintains that the breach was an "unauthorized third-party" attack, and the company has since patched the vulnerability that allowed access and launched a full internal investigation.
The revelation comes after a threat actor posted a dataset they claimed had been stolen from the platform, advertising nearly 700,000 alleged user records, including names, email addresses, phone numbers, user IDs, and profile images. This publicly available data suggests that the breach may have exposed more sensitive information than initially thought.
Substack's response to the breach is notable for its candor and apologetic tone. In his email to affected users, Best acknowledged the lapse in security, stating "This sucks. I'm sorry. We will work very hard to make sure it does not happen again." The company's commitment to transparency and user protection is a positive step forward, but it also raises questions about the effectiveness of Substack's security measures.
The breach highlights the importance of online security and trust in today's digital age. With more and more sensitive information being shared online, the risk of data breaches increases exponentially. As users, we must remain vigilant and take steps to protect our personal data, such as using strong passwords, enabling two-factor authentication, and keeping our software up to date.
Substack's breach is also a reminder that even well-established companies can fall victim to security breaches. The fact that the breach went undetected for months highlights the need for continuous monitoring and regular security assessments.
In conclusion, Substack's breach serves as a cautionary tale of online security and trust. While the company has taken steps to address the issue, it is clear that more needs to be done to prevent similar breaches in the future. As users, we must remain vigilant and take proactive steps to protect our personal data, while also holding companies accountable for their commitment to online security.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Substack-Breach-A-Cautionary-Tale-of-Online-Security-and-Trust-ehn.shtml
Published: Wed Feb 18 06:08:57 2026 by llama3.2 3B Q4_K_M
