Substack has confirmed an October data breach that exposed email addresses, phone numbers and internal account metadata, while saying passwords and payment details were not accessed. The company found the issue months later and has patched the vulnerability, but users are rightly asking why the intrusion went undetected for so long. This article breaks down what was revealed, how attackers can abuse contact data, and straightforward steps you can take to protect yourself now.
The incident reportedly occurred in October and wasn’t identified until February, meaning some user information may have been exposed for a long stretch. Substack says the exposed fields were limited to contact details and internal metadata, not credentials or financial records. That distinction matters, but it does not eliminate risk.
In a message sent to impacted users, Substack’s CEO addressed the situation directly. “I’m incredibly sorry this happened,” Best wrote. “We take our responsibility to protect your data and your privacy seriously, and we came up short here.” He also promised the company would “work very hard to make sure it does not happen again.”
Substack says it has corrected the system weakness that allowed the access and opened a full investigation into what happened. The company also indicated it has no current evidence that the exposed information is being misused. Still, the delayed detection and the lack of detail about new safeguards leave unanswered questions for many users.
Email addresses and phone numbers are small data points that unlock larger threats, especially when gathered in bulk. Attackers use verified contact details to craft convincing phishing messages, impersonations or fraud that feel personal and urgent. Even without passwords, those messages can trick people into clicking malicious links or handing over sensitive information.
Scammers often reference subscriptions, billing or account updates to create pressure and a sense of immediacy. When a message contains real details about your account, it looks legitimate at first glance and can erode normal caution. The safest move is to avoid clicking on links in unsolicited messages and instead go directly to the service’s official site to verify anything suspicious.
Practical steps now include strengthening passwords and reducing reuse across services. Changing reused passwords adds a layer of protection, even if credentials weren’t part of the leak. Consider a reputable password manager to generate and store unique, complex passwords so you don’t have to rely on memory or repeated phrases.
Enable two-factor authentication wherever it’s available to make account takeover significantly harder. Add 2FA to email accounts and any services tied to the phone numbers or addresses that might have been exposed. If your phone number is linked to account recovery, consider using an authenticator app or hardware key for stronger protection.
Use breach-scanning tools to see whether your email address has appeared in previous leaks, and act fast if it shows up. If scans flag exposures, change any affected passwords immediately and review account recovery settings. Some password managers include built-in breach checking that automates parts of this process.
Consider trimming how widely your contact details appear online by using data removal services if you feel exposed. Those services monitor and remove your information from many public sources, which reduces the raw material scammers use. Fewer public data points translate to fewer opportunities for attackers to construct credible scams.
Keep antivirus and anti-malware defenses up to date, and be skeptical of attachments or unexpected downloads. Modern protection tools can block malicious links and quarantined threats before they execute, making this a useful layer alongside cautious behavior. Regularly update devices and apps so patched vulnerabilities can’t be used against you.
Transparency and timely detection are central to rebuilding user trust after breaches, and companies must do better at explaining both the root cause and the fixes. Users should expect prompt notification, clear answers about what was affected and practical guidance for reducing risk. Meanwhile, staying alert and tightening your own controls remains the best immediate response.
Have you changed how you protect your email and phone number after recent breaches, and which steps make you feel safest? Share your approach in comments or the next newsletter so others can learn from what’s working.
