What Happened
In February 2026, Substack disclosed that subscriber contact data had been exposed. The compromised data includes subscriber emails and phone numbers.
The incident undermines trust between newsletter writers and their audiences, as subscribers expect their contact information to remain private.
Timeline
- February 2026 — Substack discloses exposure of subscriber contact data
Impact and Risk Assessment
For Individuals
Subscribers had their email addresses and phone numbers exposed. Subscription preferences can reveal personal interests, political views, and professional focus areas.
For Organisations
Newsletter writers on Substack may face subscriber churn and trust erosion as a result of the platform breach.
Substack's reputation as a trusted platform for independent writers may be affected.
Regulatory Context
CCPA may apply for California-resident subscribers. GDPR may apply for EU-resident subscribers. CAN-SPAM Act implications for exposed email addresses.
What Should You Do?
For Individuals
- If you subscribe to Substack newsletters, be alert to phishing emails that reference your subscription interests.
- Review your Substack account settings and consider whether you want to continue sharing your phone number with the platform.
For Security Professionals
- Publishing platforms should minimise the collection and retention of subscriber contact data. Consider whether phone numbers are necessary for the service provided.
Learnings and Recommendations
Publishing and newsletter platforms hold relationship data between creators and their audiences. A breach of this trust can have cascading effects on the platform's entire creator ecosystem.