Substack has informed some users that their email addresses and phone numbers were compromised during a data breach that occurred in October 2025. The breach was only detected on February 3, 2026. In a communication to users, CEO Chris Best explained that a hacker accessed internal data without authorization but confirmed that passwords and financial information like credit card numbers remain secure. Best urged users to be cautious of any suspicious emails or text messages, although he noted that there’s no evidence the exposed information is currently being misused. Substack has addressed the security issue and is conducting a full investigation to prevent future incidents. However, the company did not disclose the specifics of the security flaw or the number of affected users. Some Verge staff members, including the author, reported not receiving the alert from Substack, raising questions about the communication process. Best expressed regret over the incident, emphasizing the company’s commitment to data protection and user privacy. The breach highlights ongoing vulnerabilities in digital platforms and the importance of transparency in addressing security concerns.