When did Substack detect the data breach?

Substack detected the breach on February 3, 2026, approximately four months after the unauthorized access occurred in October 2025.

How is Substack addressing the data breach?

Substack has patched the security vulnerability, initiated a full investigation, and is enhancing its systems and processes to prevent future incidents.

Substack's 2025 Data Breach: A Wake-Up Call for Security Monitoring

Discover the details of Substack's 2025 data breach, the delayed detection, and the lessons learned for enhancing security monitoring and incident response.

Published: February 6, 2026

Share this on:

Executive Summary

In October 2025, Substack, a prominent newsletter platform, experienced a data breach where an unauthorized third party accessed user data, including email addresses, phone numbers, and internal metadata. The breach was not detected until February 3, 2026, leading to a four-month delay in notification. Importantly, sensitive information such as passwords, credit card numbers, and financial data remained secure. (techcrunch.com)

This incident underscores the critical need for robust security monitoring and rapid breach detection mechanisms. The prolonged detection period highlights potential vulnerabilities in Substack's security infrastructure, emphasizing the importance of timely incident response to protect user data and maintain trust.

Why This Matters Now

The Substack data breach highlights the urgent need for organizations to enhance their security monitoring and incident response capabilities. The four-month detection delay exposes potential gaps in Substack's security infrastructure, emphasizing the importance of timely breach detection to protect user data and maintain trust.

Attack Path Analysis

In October 2025, an unauthorized third party exploited a vulnerability in Substack's systems to access user data, including email addresses, phone numbers, and internal metadata. The attackers leveraged this access to escalate privileges within the system, enabling them to move laterally across Substack's infrastructure. They established command and control channels to maintain persistent access and exfiltrated the compromised data. The breach remained undetected until February 2026, highlighting significant gaps in Substack's monitoring and detection capabilities.

Kill Chain Progression

Initial Compromise

Mediuminferred

Privilege Escalation

Lowinferred

Lateral Movement

Lowinferred

Command & Control

Lowinferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

An unauthorized third party exploited a vulnerability in Substack's systems to gain access to user data, including email addresses, phone numbers, and internal metadata.

Confidence:

Medium

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Reconnaissance

T1589.002

Gather Victim Identity Information: Email Addresses

Resource Development

T1586.002

Compromise Accounts: Email Accounts

Collection

T1114.002

Email Collection: Remote Email Collection

Reconnaissance

T1598

Phishing for Information

Reconnaissance

T1656

Impersonation

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Protect stored cardholder data

Control ID: 3.4

The breach exposed sensitive customer information, indicating inadequate protection of stored data.

NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information

Control ID: 500.15

The incident suggests that nonpublic information was not properly encrypted, violating data protection requirements.

DORA – ICT Risk Management Framework

Control ID: Article 10

The breach highlights deficiencies in the organization's ICT risk management framework, leading to unauthorized data access.

CISA ZTMM 2.0 – Data Protection

Control ID: 3.1

The exposure of email addresses and phone numbers indicates a failure in implementing robust data protection measures.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reveals shortcomings in cybersecurity risk management practices, resulting in a data breach.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Online Publishing

Newsletter platforms like Substack face direct data breach risks exposing subscriber communications, requiring enhanced egress security and encrypted traffic protection for sensitive editorial content.

Media Production

Content creators using newsletter platforms risk subscriber data exposure and lateral movement attacks, necessitating zero trust segmentation and multicloud visibility for distributed publishing workflows.

Marketing/Advertising/Sales

Marketing teams leveraging newsletter platforms face email list compromises and data exfiltration risks, requiring threat detection capabilities and policy enforcement for customer communication channels.

Higher Education/Acadamia

Academic institutions using newsletter services for communications face HIPAA compliance risks from student data exposure, requiring kubernetes security and anomaly detection for educational content distribution.

Sources

Newsletter platform Substack notifies users of data breachhttps://www.bleepingcomputer.com/news/security/newsletter-platform-substack-notifies-users-of-data-breach/
Verified

Substack confirms data breach affects users' email addresses and phone numbershttps://techcrunch.com/2026/02/05/substack-confirms-data-breach-affecting-email-addresses-and-phone-numbers/

Verified

Substack says intruder lifted emails, phone numbers in months-old breachhttps://www.theregister.com/2026/02/05/substack_admit_security_incident/

Verified

Frequently Asked Questions

The breach exposed user email addresses, phone numbers, and internal metadata. Sensitive information such as passwords, credit card numbers, and financial data were not accessed.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may have been constrained, reducing the likelihood of unauthorized entry into sensitive systems.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges would likely have been constrained, limiting their access to sensitive data.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement could have been restricted, reducing their ability to access additional resources.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The establishment of command and control channels may have been detected and disrupted, limiting persistent access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Data exfiltration attempts could have been identified and blocked, reducing the risk of data loss.

Impact (Mitigations)

The exposure of sensitive user information may have been limited, reducing the potential for subsequent malicious activities.

Impact at a Glance

Affected Business Functions

User Account Management
Subscriber Communications
Marketing Outreach

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Email addresses, phone numbers, and internal metadata of users.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic, preventing unauthorized lateral movement.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
• Utilize Multicloud Visibility & Control tools to gain comprehensive insights into cloud environments and detect potential threats.
• Establish Egress Security & Policy Enforcement mechanisms to control outbound traffic and prevent data exfiltration.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Substack's 2025 Data Breach: A Wake-Up Call for Security Monitoring

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Gather Victim Identity Information: Email Addresses

Compromise Accounts: Email Accounts

Email Collection: Remote Email Collection

Phishing for Information

Impersonation

Potential Compliance Exposure

PCI DSS 4.0 – Protect stored cardholder data

NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data Protection

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Online Publishing

Media Production

Marketing/Advertising/Sales

Higher Education/Acadamia

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads