Newsletter platform Substack has confirmed a data breach that resulted in user data being accessed without authorization. The incident exposed user records and internal metadata from the popular publishing platform used by millions of writers and subscribers. The breach was initially reported by a Substack user and later confirmed by the company, with law firm Lynch Carpenter announcing an investigation into potential legal claims.
Learn how to protect yourself after a data breach on OpenClassActions.com.
What Happened
Substack, which hosts newsletters for millions of writers and their subscribers, disclosed that an unauthorized party gained access to user data. The breach exposed user records including email addresses, usernames, and internal platform metadata. The scope of the exposed data and the full number of affected users are still being determined.
The incident is concerning because Substack users include journalists, researchers, political commentators, and public figures. Their subscriber lists and engagement data could be valuable for targeted phishing, harassment, or competitive intelligence. For subscribers, the exposure of their email addresses alongside the specific newsletters they follow reveals information about their interests, political views, and personal concerns.
Who Is Affected
Both Substack writers (publishers) and their subscribers may be affected. If you have a Substack account — whether you publish a newsletter or subscribe to one — your data may have been accessed. Substack has not yet disclosed the total number of affected accounts.
What You Should Do
Change your Substack password and enable two-factor authentication on your account. Be cautious of emails that appear to come from Substack or from newsletters you subscribe to — verify them by going directly to the Substack website rather than clicking links in emails. If you are a Substack publisher, alert your subscribers about the breach so they can take protective measures as well.
This article is for informational purposes only and does not constitute legal advice. Written by Steve Levine for OpenClassActions.org.