A massive data breach affecting the popular newsletter platform Substack has sent ripples through the media and publishing industries, after a trove of roughly 22 million email addresses linked to user accounts was found circulating on a well-known hacking forum. The breach, which appears to have occurred in early 2025 but only recently gained widespread attention, has raised pointed questions about how the company handles user data, communicates security incidents, and protects the millions of writers and readers who depend on its infrastructure.
The leaked data reportedly includes email addresses, usernames, and other account-related metadata tied to Substack accounts. While passwords do not appear to have been included in the dump — a fact that has offered some limited reassurance — security researchers warn that the exposed information is more than sufficient to fuel sophisticated phishing campaigns, credential-stuffing attacks, and social engineering schemes targeting both newsletter creators and their subscribers.
How the Breach Was Discovered and What Was Exposed
According to a report from TechRepublic, the breach came to light after a dataset containing approximately 22 million records was posted on BreachForums, a notorious marketplace for stolen data. The individual who uploaded the data claimed to have obtained it from Substack’s systems, though the exact method of exfiltration has not been publicly confirmed. Security researchers who examined samples of the data found it to be consistent with legitimate Substack account information, lending credibility to the claim.
The exposed records reportedly include email addresses, display names, subscription details, and in some cases, information about which newsletters individual users follow. For a platform whose entire business model revolves around the relationship between writers and their audiences, this kind of data exposure carries particular weight. Newsletter creators on Substack often build their livelihoods around their subscriber lists, and the leak of those lists — even without financial data — represents a significant breach of trust.
Substack’s Response Has Been Measured — Critics Say Too Measured
Substack has acknowledged the incident but has been notably restrained in its public communications. The company has not issued a detailed post-mortem or provided a comprehensive timeline of events. In statements to media outlets, Substack indicated that it was investigating the matter and that it had found no evidence that passwords or payment information were compromised. The company also encouraged users to enable two-factor authentication and to be vigilant about suspicious emails.
That response has drawn criticism from cybersecurity professionals and some of Substack’s own users. Troy Hunt, the security researcher who operates the breach notification service Have I Been Pwned, has been vocal about the need for companies to be more forthcoming when user data is exposed. While Hunt has not specifically commented on the Substack incident at length, his long-standing position — that affected individuals deserve prompt and transparent notification — reflects the sentiment shared by many in the security community regarding this breach.
The Phishing Risk Is Real and Immediate
Perhaps the most pressing concern stemming from the breach is the potential for highly targeted phishing attacks. Because the leaked data includes information about which newsletters users subscribe to, attackers could craft convincing emails that appear to come from specific Substack writers. A subscriber to a popular finance newsletter, for example, might receive a fraudulent email that mimics that writer’s style and branding, directing them to a malicious link designed to harvest login credentials or install malware.
This type of attack — sometimes called spear phishing — is considerably more effective than generic phishing campaigns because it exploits existing trust relationships. Substack’s model, which emphasizes direct, personal connections between writers and readers, makes its user base an especially attractive target. Security experts have warned that users should treat any unexpected email purporting to come from a Substack newsletter with heightened suspicion, particularly if it requests login credentials or directs users to unfamiliar websites.
A Growing Pattern of Platform Breaches in the Media Sector
The Substack breach is not an isolated event. Over the past two years, a number of platforms serving the media and publishing industries have experienced significant security incidents. In 2023, Flipboard disclosed a breach affecting user accounts, and various WordPress-based publishing platforms have been repeatedly targeted by threat actors seeking access to subscriber data and content management systems. The pattern suggests that platforms handling large volumes of user data — particularly email addresses and subscription information — remain high-value targets for cybercriminals.
What distinguishes the Substack breach is the nature of the platform itself. Unlike a traditional news outlet or social media company, Substack functions as a hybrid between a publishing tool and a payment processor. Writers collect subscription fees through the platform, and readers entrust it with their email addresses and, in many cases, their credit card information. While Substack has stated that payment data was not part of the leak, the incident underscores the breadth of sensitive information that flows through the platform on a daily basis.
What Writers and Creators Should Do Now
For the thousands of independent writers who have built their businesses on Substack, the breach raises practical and strategic questions. In the short term, TechRepublic recommends that all Substack users — both writers and readers — immediately enable two-factor authentication on their accounts, review their connected email addresses for signs of unauthorized access, and change passwords if they have reused their Substack credentials on other services.
Beyond these immediate steps, some writers have begun discussing whether the breach should prompt a broader reevaluation of their dependence on any single platform. The incident has revived conversations about the importance of maintaining independent email lists through services like Mailchimp or ConvertKit, rather than relying exclusively on Substack’s built-in subscriber management tools. While Substack allows writers to export their subscriber lists, the breach has highlighted the risks of entrusting a third party with the core asset of any newsletter business: the audience itself.
Regulatory and Legal Implications Could Follow
Depending on where affected users are located, the breach could trigger regulatory scrutiny under data protection laws such as the European Union’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA). Both frameworks impose obligations on companies to notify affected individuals and relevant authorities within specific timeframes following a data breach. If Substack is found to have delayed notification or failed to implement adequate security measures, it could face significant fines and legal action.
Legal experts have noted that class-action lawsuits following data breaches have become increasingly common in the United States, even when the exposed data does not include financial information. The argument typically centers on the increased risk of identity theft and the burden placed on affected individuals to monitor their accounts and protect themselves from fraud. Whether such litigation materializes in this case will likely depend on the scope of harm that can be attributed to the breach and on Substack’s ability to demonstrate that it took reasonable precautions to protect user data.
The Bigger Picture for Platform Trust
At a broader level, the Substack breach is a reminder that the platforms on which modern media businesses are built carry inherent risks that are often invisible until something goes wrong. Writers who have migrated to Substack over the past five years have done so in part because the platform promised simplicity, direct audience relationships, and freedom from the algorithmic whims of social media. The breach does not negate those advantages, but it does add a new variable to the calculus.
Trust is the currency of the newsletter economy. Readers subscribe because they trust a writer’s voice and perspective; writers publish on Substack because they trust the platform to handle the technical and financial infrastructure reliably. When that trust is compromised — even partially — the effects can ripple outward in ways that are difficult to quantify but impossible to ignore. For Substack, the path forward will require not only fixing whatever vulnerability led to the breach but also rebuilding confidence among the creators and readers who form the foundation of its business.
As of this writing, Substack has not announced any changes to its security infrastructure or provided a detailed account of how the breach occurred. The company’s next moves will be closely watched by an industry that has staked much of its future on the promise that independent publishing platforms can be both open and secure.