⚡ TL;DR
- Hackers accessed Substack's systems in October 2025. Substack did not catch it until February 3, 2026. That is four months of your data sitting in someone else's hands.
- Nearly 700,000 user records were leaked, including email addresses, phone numbers, names, bios, social media handles, and Stripe IDs.
- Passwords and full financial data were not part of the breach, but what was leaked is more than enough to cause serious damage through credential stuffing and targeted phishing.
- This is a 5-step, 20-minute response plan you can do right now. Not tomorrow. Right now.
- The pattern is the same after every breach: companies take months to detect it, your data gets leaked, you get a vague email, and then you are on your own. You cannot outsource your security.
The Substack breach 2026 exposed nearly 700,000 user records, and if you woke up to an email from CEO Chris Best apologizing for it, you are probably wondering what this actually means for you and what you should do about it.
I have spent over a decade working in cybersecurity and DevSecOps, and I have seen this pattern play out hundreds of times. A company gets breached, they send a vague email, users panic for a day, and then nothing changes. Most people do not know what steps to actually take, so they take none.
That ends here. I am going to walk you through exactly what is at risk and what to do about it in the next 20 minutes. Not tomorrow. Not "when you get around to it." Right now, while you are thinking about it.
The 60-Second Version of What Happened
Hackers accessed Substack's systems back in October 2025. Substack did not catch it until February 3, 2026. That is four months of your data sitting in someone else's hands without anyone telling you.
Nearly 700,000 user records were leaked on a hacking forum, including:
| What Was Leaked | Risk Level | What Attackers Can Do With It |
|---|---|---|
| Email address | Critical | Password resets, phishing targets, credential stuffing |
| Phone number | Critical | SMS phishing (smishing), SIM swap attacks, 2FA bypass |
| Name + Bio | High | Personalized social engineering, spear phishing |
| Social media handles | High | Cross-platform targeting, identity research |
| Stripe IDs | Medium | Impersonate billing support, payment-related scams |
| Internal metadata | Medium | Platform-specific targeted attacks |
Passwords and full financial data were not part of the breach. But as you will see below, what was leaked is more than enough to cause serious damage.
Why "Just an Email and Phone Number" Is a Bigger Deal Than You Think
I hear this after every breach. "They only got my email. Who cares?"
Here is who cares: the people who are about to use that information against you.
Your email address and phone number are the keys to almost every account you own. Think about it. When you reset a password, where does the link go? Your email. When you verify your identity with two-factor authentication, where does the code go? Your phone. Attackers now have both.
According to Verizon's 2025 Data Breach Investigations Report, 86% of breaches involve stolen credentials. Credential stuffing attacks, where hackers take leaked emails from one breach and try those same email/password combinations on hundreds of other sites, succeed against roughly 0.1-2% of accounts. That sounds small until you realize attackers run millions of attempts per day.
Combined with your name, bio, and social media handles from the Substack leak, they have everything they need to craft phishing emails and text messages that look completely legitimate. Not the obvious "Dear Customer" spam. Messages that reference your actual interests, your actual name, and the fact that you actually use Substack.
The inclusion of Stripe IDs in this breach is particularly concerning. While this is not your full payment information, sophisticated scammers can use Stripe IDs to impersonate billing support, sending emails like "There's an issue with your Substack subscription payment" that reference real transaction identifiers. These are extremely convincing because they contain data only Substack should have.
This is how accounts get compromised in 2026. Not through brute force password cracking. Through carefully targeted social engineering built on breach data exactly like this.
Your 20-Minute Breach Response Plan
I built this plan to work for any breach, not just Substack. Bookmark this page because you will need it again. Every one of these steps is something you can do right now without any technical background.
Step 1: Find Out How Exposed You Already Are (2 Minutes)
Before you can fix the problem, you need to know how big it is. Go to Have I Been Pwned and enter your email address.
This free tool, created by security researcher Troy Hunt, checks your email against every known data breach. If Substack is the only one that shows up, you are in decent shape. If you see five, ten, or twenty breaches listed, your email and personal details have been circulating for a while and this needs to become a priority.
Write down what you find. You will need it for the next steps.
You can also run your current passwords through our password strength checker to see if they are strong enough to resist modern cracking attempts.
Step 2: Lock Down Your Substack Account (3 Minutes)
Go directly to substack.com (type it into your browser, do not click any link from an email) and change your password.
Here is what matters: this new password needs to be completely unique. Not a variation of something you use elsewhere. Not your old password with a "2" at the end.
Generate a strong password that is at least 16 characters long with a mix of uppercase, lowercase, numbers, and symbols. You can use our secure password generator to create one in seconds. The best password is one you could never guess yourself.
Why 16 characters? We break down the math in our guide on why password length beats complexity, but the short version is: a 16-character random password would take centuries to crack with current technology. An 8-character password takes minutes.
Store it in a password manager. If you do not have one yet, that is okay. Step 4 covers that.
Step 3: Enable Two-Factor Authentication Everywhere That Matters (5 Minutes)
Two-factor authentication is the single most important thing you can do to protect your accounts. Even if an attacker gets your password, they cannot get in without the second factor.
Start with these accounts in this order. I am ranking them by how much damage a compromise would cause:
Priority 1: Your email. If someone gets into your email, they can reset passwords on everything else. This is your most important account. Enable 2FA on it first.
Priority 2: Your bank and financial accounts. For obvious reasons.
Priority 3: Social media and platforms like Substack. Especially anything connected to your real name and professional identity.
Use an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) rather than SMS codes when you have the option. SMS codes are better than nothing, but they can be intercepted through SIM swapping attacks, which is a real concern when attackers already have your phone number from this breach.
Need help setting this up? Our complete 2FA setup guide walks you through enabling two-factor authentication on every major platform step by step.
Step 4: Stop Reusing Passwords (5 Minutes to Start)
I am going to be direct with you. If you are reusing passwords across accounts, this breach just put all of those accounts at risk. Attackers take leaked emails from one breach and try those same email/password combinations on hundreds of other sites. It is automated, it is fast, and it works more often than you would think.
The fix is a password manager. It generates and stores unique passwords for every account, and you only need to remember one master password.
Here is how to get started today:
- Pick a password manager (see our recommendations below)
- Use our secure password generator to create a strong master password you can actually remember. Try a passphrase: four or five random words strung together with numbers and symbols mixed in. Our passphrase generator can help.
- Start adding your most important accounts. You do not need to do all of them today. Do your email, your bank, and your most-used accounts first. Add the rest over the next week.
Password Managers We Recommend
These are the password managers I trust and recommend to friends and family. All of them use zero-knowledge encryption, meaning even the company cannot see your passwords.
| Manager | Best For | Price | Key Feature |
|---|---|---|---|
| NordPass | Most users | $1.99/mo | Built-in breach scanner, from the makers of NordVPN |
| Proton Pass | Privacy-focused users | Free tier available | Swiss privacy laws, open source, full Proton ecosystem |
| RoboForm | Long-term value | $24/year | 25+ years in business, excellent autofill |
| Bitwarden | Budget-conscious | Free forever | Open source, self-host option |
Affiliate disclosure: I may earn a commission if you sign up through these links, at no extra cost to you. I only recommend tools I personally use or have thoroughly tested.
Stop Reusing Passwords
A password manager generates and stores unique passwords for every account. If one service gets breached, your other accounts stay safe.
I use NordPass. Built-in breach scanner. Zero-knowledge encryption.
Affiliate link. I may earn a commission at no extra cost to you.
Step 5: Set Your Phishing Defenses (5 Minutes)
For the next 30 to 90 days, you are going to see an increase in phishing attempts. This is the pattern after every breach. The data circulates through forums, gets bought and sold, and attackers start using it.
The Golden Rule: Never click, always navigate. If you get an email that says your Substack account needs attention, do not click the link in the email. Open a new browser tab, type substack.com, and log in directly. This one habit defeats the vast majority of phishing attacks.
Texts from numbers you do not recognize that mention Substack, data breaches, or "account security" are scams. Delete them.
Calls from your "bank" about the breach are scams. Hang up and call your bank using the number on the back of your card.
The 5-Minute Inbox Audit
This is the step most people miss, and it is critical. Attackers sometimes set up email filters or forwarding rules that let them silently monitor your inbox even after you change your password. Run this audit right now:
For Gmail users:
- Go to Settings (gear icon) → See all settings
- Click "Filters and Blocked Addresses" → Delete anything you do not recognize
- Click "Forwarding and POP/IMAP" → Make sure no forwarding addresses were added without your knowledge
- Check "Accounts and Import" → Verify no unknown accounts have send-as permissions
For Outlook users:
- Go to Settings → View all Outlook settings
- Click Mail → Forwarding → Ensure forwarding is disabled or only going where you expect
- Click Mail → Rules → Delete any rules you did not create
For Apple Mail / iCloud:
- Go to iCloud.com → Settings → iCloud Mail
- Check Forwarding settings
- Review any mail rules
If you find anything suspicious, delete it immediately and change your email password again.
Protect Your Connection Too
If you are doing any of these steps on public WiFi, stop. Public networks are a goldmine for attackers who can intercept your traffic.
A VPN encrypts your connection and keeps your data private, even on untrusted networks. This is especially important when you are logging into sensitive accounts or changing passwords.
| VPN | Best For | Price |
|---|---|---|
| Surfshark | Unlimited devices | $2.49/mo |
| NordVPN | Speed + Security | $3.99/mo |
These are affiliate links. I recommend both based on independent testing.
The Pattern You Need to Recognize
The Substack breach is not special. It is not even unusual. What makes it worth paying attention to is how perfectly it illustrates a pattern that plays out over and over.
A company gets hacked. Months pass before they notice. Your data gets leaked on a forum. You get a vague apology email. And then you are on your own.
Substack took four months to detect this breach. The data was already being traded on hacking forums before the company sent its first notification. That is not a criticism of Substack specifically. This is how most breaches go. According to IBM's Cost of a Data Breach Report, the average time to identify a breach is still 194 days.
The takeaway is simple: you cannot outsource your security to any platform. The companies you trust with your data will get breached. Some already have and just do not know it yet.
The only reliable protection is the one you build for yourself. Unique passwords for every account. Two-factor authentication on everything important. A healthy skepticism toward any message that tries to get you to click, call, or share information.
These are not complicated steps. They are habits. And the 20 minutes you just spent reading this page is the hardest part. Now go do it.
Frequently Asked Questions
Was my Substack password leaked in the breach?
No. Substack has confirmed that passwords were not part of this breach. However, you should still change your Substack password as a precaution, especially if you reuse it on other sites. Use our secure password generator to create a strong, unique replacement.
How do I know if I was affected by the Substack breach?
If you received an email from Substack CEO Chris Best on or around February 4-5, 2026, your data was part of the breach. You can also check Have I Been Pwned once the breach is added to their database. If you have ever had a Substack account, assume your data was exposed and follow the steps above.
What information was exposed in the Substack data breach?
The breach exposed email addresses, phone numbers, names, user bios, social media handles, Stripe customer IDs, and internal platform metadata. Financial data like credit card numbers and passwords were not included.
Can hackers access my bank account with my Substack data?
Not directly. The breach did not include financial data. However, attackers can use your leaked email and phone number for phishing attacks designed to trick you into revealing banking credentials. This is why enabling 2FA on your financial accounts is critical.
What is a Stripe ID and should I be worried?
A Stripe ID is an internal identifier used by Substack's payment processor. While it does not contain your credit card number, sophisticated scammers can use it to craft convincing fake billing emails that reference real transaction data. Be extra skeptical of any emails about Substack payments or subscription issues.
How long should I be on alert for phishing attempts?
Plan for 30 to 90 days of heightened vigilance. Breach data typically circulates through hacking forums during this window before attackers begin using it. After that, your data becomes part of larger databases that may be used indefinitely, which is why the habits you build now matter long-term.
Sources
- Substack official breach notification email (February 4, 2026)
- Have I Been Pwned - Troy Hunt
- Verizon 2025 Data Breach Investigations Report
- IBM Cost of a Data Breach Report 2025
- NIST Digital Identity Guidelines (SP 800-63B)
T.O. Mercer is a cybersecurity researcher with over 10 years of experience in enterprise security and DevSecOps. He is the founder of SafePasswordGenerator.net, where he helps everyday people take control of their online security with free tools and no-nonsense education.