Substack has confirmed a data breach that exposed phone numbers and email addresses of some users, raising fresh concerns about privacy and security in the rapidly growing creator economy.
Newsletter platform Substack has confirmed a data breach that resulted in the exposure of user phone numbers and email addresses, sending shockwaves through the creator economy and renewing scrutiny of how digital publishing platforms safeguard personal data.
The breach, disclosed after internal investigation, affected a subset of users including newsletter creators and subscribers. While Substack emphasized that no payment details or passwords were compromised, the exposure of direct contact information is significant—particularly for creators whose livelihoods depend on trust and audience relationships.
What happened?
According to Substack, unauthorized access allowed attackers to view certain user records containing email addresses and phone numbers. The company did not specify the exact number of users affected, but acknowledged that the breach stemmed from a third-party system vulnerability rather than its core publishing infrastructure.
Substack says it has since secured the affected systems, notified impacted users, and reported the incident to relevant regulators.
Why phone numbers matter more than passwords
While passwords can be changed, phone numbers and email addresses are permanent identifiers. Cybersecurity experts warn that such data can be exploited for phishing, SIM-swap attacks, targeted harassment, and identity correlation across platforms.
For independent journalists, activists, and niche creators—many of whom use Substack precisely to avoid platform dependency—this exposure raises serious safety and reputational risks.
Creator economy under pressure
Substack has positioned itself as a creator-first alternative to social media, emphasizing independence, ownership, and direct audience relationships. That positioning makes security incidents particularly damaging.
Unlike mass-market platforms, Substack hosts sensitive newsletters covering politics, finance, healthcare, and personal narratives. In some regions, disclosure of contact details could carry real-world consequences.
Substack’s response
The company stated it is enhancing internal monitoring, auditing third-party integrations, and accelerating its security roadmap. Substack also reiterated that it does not sell user data and that the breach did not involve content access.
However, the lack of precise numbers and limited technical detail has drawn criticism from privacy advocates calling for greater transparency.
A broader industry problem
The incident reflects a wider challenge across SaaS and creator platforms: rapid growth often outpaces security maturity. As newsletter platforms expand monetization features—payments, analytics, SMS alerts—the volume of sensitive data they handle increases dramatically.
Regulators in the US and EU are increasingly scrutinizing how platforms disclose breaches and manage user consent.
What users should do now
Security professionals advise affected users to:
- Be cautious of unsolicited emails or messages
- Enable two-factor authentication where available
- Monitor for phishing attempts referencing Substack activity
- Avoid reusing email-linked credentials elsewhere
The trust test ahead
For Substack, the breach represents a critical trust test. The platform’s success depends not just on tools, but on creators’ confidence that their independence does not come at the cost of security.
As the creator economy professionalizes, privacy expectations will only rise.
