Full Report
Newsletter platform Substack has confirmed a data breach in an email to users. The company said that in October, an “unauthorized third party” accessed user data, including email addresses, phone numbers, and other unspecified “internal metadata.” Substack specified that more sensitive data, such as credit card numbers, passwords, and other financial information, was unaffected. In…
Analysis Summary
# Incident Report: Substack Unauthorized Access and Data Exposure (October 2025)
## Executive Summary
In October 2025, the newsletter platform Substack experienced a data breach when an "unauthorized third party" gained access to internal systems. This incident resulted in the exposure of user data, including email addresses, phone numbers, and unspecified internal metadata. The company confirmed that more sensitive details, such as passwords and financial information, remained secure. Substack CEO Chris Best notified users in February 2026 after identifying the issue and subsequently fixed the access vulnerability.
## Incident Details
- Discovery Date: February 2026 (When the company identified the issue and notified users)
- Incident Date: October 2025 (When unauthorized access occurred)
- Affected Organization: Substack
- Sector: Information Technology, Communications (Newsletter Platform)
- Geography: Not explicitly disclosed, presumed global operations.
## Timeline of Events
### Initial Access
- **Date/Time:** October 2025
- **Vector:** "Unauthorized third party" accessed systems. (Specific vector, e.g., vulnerability exploited, not detailed in the summary)
- **Details:** An unauthorized party accessed user data within Substack's systems.
### Lateral Movement
- **Details:** Unknown. The scope suggests the attackers were able to access or collect specific categories of user data.
### Data Exfiltration/Impact
- **Details:** Unauthorized access led to the compromise of user **email addresses**, **phone numbers**, and unspecified **internal metadata**. Sensitive data (passwords, credit card numbers) was confirmed *unaffected*.
### Detection & Response
- **Details:** Substack CEO Chris Best stated the company **identified the issue in February 2026**. Substack has **fixed the problem** and **started an investigation**. Users were notified via email.
## Attack Methodology
*Note: As the source text does not detail the specific TTPs, the fields below reflect what is known versus what is presumed based on the scope.*
- **Initial Access:** Unauthorized third-party access to systems. (Specific method unknown)
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Likely involved internal reconnaissance to locate valuable user PII/metadata.
- **Lateral Movement:** Movement within the environment to access the affected data sets.
- **Collection:** Gathering email addresses, phone numbers, and internal metadata.
- **Exfiltration:** Data was successfully exfiltrated, though the method is not specified.
- **Impact:** Unauthorized disclosure of user Personally Identifiable Information (PII) and metadata.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** User email addresses, phone numbers, and internal metadata.
- **Operational:** The vulnerability that permitted access was fixed by February 2026. Investigation initiated.
- **Reputational:** Public disclosure via email to users in February 2026.
## Indicators of Compromise
- *No specific IoCs (IPs, domains, file hashes) were provided in the summary article.*
- **Behavioral indicators:** Unauthorized bulk access or queries related to user account databases containing contact information.
## Response Actions
- **Containment:** The company **fixed the problem** that allowed unauthorized access (implies remediation of the initial access vector).
- **Eradication:** Not explicitly detailed, but implied by fixing the root cause.
- **Recovery:** Notification to users via email starting in February 2026. Investigation launched.
## Lessons Learned
- A significant gap existed in securing access to user contact information and internal metadata, which was exploited months before detection.
- The detection timeline spanned approximately four months (October 2025 to February 2026).
## Recommendations
- Conduct a thorough forensic investigation to determine the exact initial access vector and the full scope of "internal metadata" accessed.
- Enhance monitoring capabilities, particularly around data stores containing PII/contact lists, to detect unusual query volume or access patterns sooner.
- Review access controls and segmentation to ensure that a compromise in one area does not automatically grant access to this specific set of data.