Substack Discloses User Contact Data Breach

(MENAFN- The Arabian Post)

Substack has confirmed that a security breach exposed limited user contact information, including email addresses and phone numbers, prompting renewed scrutiny of data protection practices across creator-focused platforms. The company said the incident did not involve passwords, payment details or private content, and that access was cut off after the activity was identified.

According to a statement issued by Substack, an unauthorised third party gained access to certain internal systems used for account management. The company said the breach affected a subset of users whose details were stored in those systems, and that impacted users were being notified directly. Substack added that it had engaged external cybersecurity specialists to investigate the incident and to strengthen safeguards.

The disclosure comes as subscription-based publishing platforms continue to attract high-profile writers, journalists and commentators, increasing the volume and sensitivity of personal data they hold. While Substack emphasised that no financial information was compromised, the exposure of contact details raises concerns about phishing, impersonation and targeted scams, risks that cybersecurity experts say often follow such incidents.

In its account of the breach, Substack said the attacker did not gain ongoing access and that the company reset relevant credentials, tightened access controls and reviewed logging and monitoring procedures. It also said law enforcement had been informed, a standard step in incidents involving unauthorised system access, though it declined to comment on the identity or location of the attacker.

Privacy advocates note that email addresses and phone numbers, even without passwords, can be valuable to malicious actors when combined with other datasets. Such information can be used to craft convincing messages that appear to originate from trusted services, increasing the likelihood that recipients will divulge further details or click on malicious links. Substack said it would not ask users to provide passwords or payment information in follow-up communications and urged caution with unsolicited messages.

See also Chollima hackers expand phishing with stealth LNK malware

The incident highlights the growing pressure on digital publishing platforms to balance rapid growth with robust security. Substack's model relies on direct relationships between writers and readers, often involving newsletters that discuss politics, business and culture. That prominence has made the platform an attractive target, particularly as high-profile accounts can lend credibility to fraudulent outreach if contact data are misused.

Industry analysts point out that breaches involving limited datasets have become more common as attackers probe peripheral systems rather than core payment infrastructure. In many cases, support tools, marketing databases or customer relationship systems are less rigorously protected than transaction platforms, despite containing personally identifiable information. Substack said its investigation focused on precisely how access was obtained and whether any process gaps contributed.

The company has faced questions from users about transparency and timing. Some creators said they learned of the incident through direct notices rather than a broader public disclosure, while others called for clearer guidance on how to protect subscribers. Substack said it aimed to provide updates as its investigation progressed, while avoiding speculation that could compromise security or ongoing inquiries.

Regulatory expectations around breach notification vary by jurisdiction, but data protection authorities increasingly emphasise prompt disclosure and clear communication of risks. Although Substack operates globally, it said it was assessing notification obligations across regions and cooperating with relevant authorities where required.

The episode also feeds into a wider debate about the responsibilities of platforms that position themselves as alternatives to traditional media outlets. As independent publishing grows, so does the need for enterprise-grade security, particularly when platforms handle contact information for millions of readers. Competitors and peers have invested heavily in encryption, access management and incident response, reflecting the rising costs of cyber incidents both in remediation and reputational damage.

See also Luxury Travel Tech Trends: How AR, AI, and Personalization Are Transforming Premium Hospitality Experiences

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN05022026000152002308ID1110702225