Substack Confirms Data Breach After 100-Day Undetected Access Exposes 700,000 Users

Substack disclosed a security incident on February 5, 2026, when CEO Chris Best notified users of unauthorized access to user data. The attacker had been active since October 2025 — approximately 100 days of undetected access before Substack's internal team identified the intrusion on February 3. One day before internal discovery, 697,313 user records appeared on BreachForums.

What Was Exposed

The exposed data includes email addresses, phone numbers, full names, user IDs, Stripe customer IDs, profile pictures, biographies, account creation dates, and social media handles. Passwords and financial data were not exposed — Substack does not store passwords in a form accessible through the scraping method used, and payment data is handled by Stripe.

The attacker described the method as "scraping" and characterized it as "noisy" — implying the data collection generated observable signals in server logs that a properly configured detection stack should have caught. The 100-day dwell time suggests Substack's monitoring either missed those signals or did not escalate them as security incidents.

Why Substack Matters

Substack hosts hundreds of thousands of independent journalists, researchers, and public commentators. The combination of email addresses, phone numbers, and social media handles creates a high-value target list for adversaries interested in harassing, surveilling, or compromising journalists — a target category with distinct geopolitical and civil liberties implications beyond ordinary consumer breach risks.

Phone numbers and email addresses together are the primary inputs for SIM-swap attacks, where an attacker convinces a mobile carrier to transfer a victim's phone number to an attacker-controlled SIM. A successful SIM-swap defeats SMS-based two-factor authentication. For journalists whose accounts may contain confidential source communications, the risk is substantially elevated.

Detection Failure

The 100-day dwell time is a significant finding. Industry benchmarks consistently place mean dwell time as one of the most important indicators of incident severity, because longer dwell times allow attackers more time to expand access and exfiltrate data. A 100-day undetected access period for what the attacker described as "noisy" suggests a gap in anomaly detection, rate limiting, or log review practices.

Recommendations

Affected users — particularly those whose phone numbers were exposed — should contact their mobile carrier to add PIN or passcode requirements for SIM change requests. Enabling app-based two-factor authentication rather than SMS-based 2FA on accounts linked to exposed email or phone numbers reduces the risk of SIM-swap-enabled account takeover. Substack has stated it is working with external security researchers to investigate the full scope and implement additional monitoring.