Substack Data Breach Records Added to Have I Been Pwned as 663,000 Accounts Surface Online

Records from a data breach affecting the publishing platform Substack are now publicly searchable through the Have I Been Pwned database, bringing renewed attention to an incident that originally occurred several months earlier. The breach, which dates back to October 2025, exposed account-level information belonging to more than 663,000 users before circulating more widely in early 2026.

The addition of the dataset to Have I Been Pwned on February 6, 2026, significantly increases its visibility, enabling individuals and organizations to verify whether their information was affected. Security experts say the timing reflects a common pattern in which breached data surfaces gradually, often months after the initial compromise.

While Substack has stated that no passwords or payment information were exposed, the scale of the incident and the nature of the data involved still present meaningful risks to users.

What Happened in the Substack Breach

According to information disclosed alongside the Have I Been Pwned listing, the breach occurred in October 2025 but did not gain broad public attention until leaked records began circulating more widely in February 2026.

The exposed dataset contains records tied to Substack account holders, combining email addresses with publicly visible profile information from the platform. This includes publication names and author bios that are normally accessible on Substack pages.

A subset of the records also includes phone numbers, suggesting that additional account metadata beyond basic contact details was accessed during the incident.

There is no indication that Substack’s core publishing infrastructure was disrupted. Instead, the breach appears to have involved unauthorized access to user account data rather than a service outage or ransomware event.

Scope and Scale of the Exposed Data

In total, approximately 663,100 unique accounts were affected, placing the Substack incident among the larger publishing platform data exposures reported in recent years.

The compromised information primarily consists of email addresses, which are frequently reused across multiple services and therefore highly valuable for phishing campaigns and account takeover attempts.

Phone numbers present in some records add an additional layer of risk, enabling attackers to launch SMS-based phishing, account recovery abuse, or targeted social engineering.

Although the data does not include authentication secrets, security researchers note that even partial datasets can be combined with information from other breaches to build detailed user profiles.

Why the HIBP Listing Matters

Have I Been Pwned serves as a central repository for verified breach datasets, allowing users to check whether their email addresses or phone numbers appear in known incidents.

Once data is added to the platform, it often draws renewed scrutiny from attackers who monitor breach disclosures for fresh targets. This can lead to secondary waves of phishing or credential stuffing.

The listing also helps organizations and security teams assess exposure within their user base, particularly when employees may use personal email addresses for professional activities.

Risk to Writers, Readers, and Publishers

Substack hosts a wide range of independent journalists, writers, and subject-matter experts, many of whom operate under their real names and maintain public-facing profiles.

The combination of contact information and publication details increases the likelihood of highly targeted phishing messages that reference specific newsletters or subscriber relationships.

For high-profile authors or politically sensitive publications, exposure of contact data can also raise concerns around harassment, impersonation, or doxing attempts.

Readers and subscribers may be targeted as well, particularly if attackers attempt to impersonate newsletter authors to solicit payments or credentials.

What Affected Users Should Watch For

Users whose information appears in the Substack breach are advised to remain cautious of unsolicited emails or messages referencing subscriptions, billing issues, or account security alerts.

Even without password exposure, attackers frequently use breached contact data to lure victims into fake login pages or payment requests.

Security professionals recommend enabling multi-factor authentication wherever available, using unique passwords across platforms, and monitoring accounts for unusual activity.

The Substack breach serves as another reminder that data exposure does not require stolen passwords to create real-world risk. In an ecosystem built on trust and direct relationships, even limited information can be weaponized effectively.