The personal data of an unknown number of Substack users was leaked several months ago, Substack announced today.
“I’m incredibly sorry this happened,” Substack CEO Chris Best wrote in an email to affected users. “We take our responsibility to protect your data and your privacy seriously, and we came up short here.”
According to the email, the security incident occurred in October 2025 but was only discovered yesterday. The leaked data included “email addresses, phone numbers, and other internal metadata.” The company noted, however, that “credit card numbers, passwords, and financial information were not accessed.”
Substack did not respond to Gazetteer SF’s request for comment in time for publication, so the full scope of the leak is not yet known.
At the time of the email (around 6 p.m. Pacific Time), Substack said it had fixed the problem and is conducting a full investigation.
In a section of the email titled “What you can do,” Best only suggested users take “extra caution” with any suspicious texts they might receive.
“This sucks. I’m sorry,” Best wrote. “We will work very hard to make sure it does not happen again.”
