Why there is no official statement from Substack about the data leak

Source: Hacker News

Overview

Newsletter platform Substack confirmed a data breach in an email to users. In October, an “unauthorized third party” accessed user data, including email addresses, phone numbers, and other unspecified internal metadata. More sensitive data—such as credit card numbers, passwords, and other financial information—was unaffected.

Details of the breach

• Date of incident: October (unauthorized access)
• Discovery: February, when Substack identified the issue that allowed someone to access its systems.
• Data accessed: Email addresses, phone numbers, and internal metadata. No evidence that credit‑card numbers, passwords, or other financial information were compromised.

The exact nature of the system vulnerability and the full scope of the accessed data remain unclear. It is also unknown why the breach went undetected for five months or whether the attackers demanded a ransom.

Company response

Substack’s chief executive, Chris Best, sent an email to users stating:

“I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission. I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.”

Key points from the response:

• The issue has been fixed, and an investigation is underway.
• Substack has no evidence that the compromised data is being misused.
• Users were advised to exercise caution with emails and texts, though no specific indicators were provided.

Impact and next steps

• Number of affected users: Not disclosed.
• Evidence of abuse: Substack reported no signs of misuse but did not detail the technical methods (e.g., log analysis) used to reach this conclusion.
• User guidance: General caution advised; no concrete remediation steps were outlined.

TechCrunch has reached out for additional details and will update the story if more information becomes available.

Background on Substack

• Substack reports more than 50 million active subscriptions, including 5 million paid subscriptions—a milestone it reached last March (source).
• In July 2025, the company raised $100 million in Series C funding led by BOND and The Chernin Group, with participation from a16z, Klutch Sports Group CEO Rich Paul, and Skims co‑founder Jens Grede (TechCrunch article).