Substack has disclosed a data breach after a hacker leaked user records allegedly obtained from the platform’s systems. The subscription publishing service, which supports an estimated 35 million subscribers, confirmed that unauthorized access occurred in October 2025 but was not discovered until February 3, when Substack identified evidence of system abuse. According to the company, exposed data included email addresses, phone numbers, and internal metadata, though Substack emphasized that passwords and financial data were not compromised. The disclosure follows a cybercrime forum post where an attacker claimed to have stolen nearly 700,000 records, including names, profile details, and user identifiers.

While the breach did not reportedly expose payment credentials, the stolen contact information still presents significant downstream risk. Email addresses and phone numbers can be weaponized for phishing, SIM-swap attempts, impersonation scams, and targeted harassment, particularly in a creator-driven ecosystem where public identity and monetization are closely tied. The attacker described the activity as “noisy” scraping that triggered mitigations, highlighting how large-scale data harvesting can still cause real damage even without deeper system compromise.

This incident underscores the need for unified security monitoring and response across SaaS platforms. Organizations like Substack must consolidate web traffic analytics, bot detection, API monitoring, identity telemetry, rate-limiting controls, threat intelligence, and automated incident response into a single security operations view with a platform like NIKSUN. By correlating signals across login patterns, scraping behavior, application logs, and network activity, security teams can detect abnormal data extraction earlier, reduce exposure windows, and prevent leaked datasets from escalating into large-scale fraud campaigns. Unified security visibility is essential for protecting user trust at platform scale. Read more about this story on our LinkedIn page