TL;DR: On February 2, 2026, a threat actor calling themselves "w1kkid" dumped 697,313 Substack user records on BreachForums. The data includes names, email addresses, phone numbers, Stripe payment IDs, profile metadata, and internal admin flags. Substack confirmed on February 5 that an "unauthorized third party" accessed user data back in October 2025, four months before anyone noticed. The platform that journalists, dissidents, and activists chose specifically because they trusted it just handed their real identities to the cybercrime underground.
Four Months of Silence
Here's the timeline that should make every Substack writer nervous:
- October 2025: An unauthorized party accesses Substack's systems and extracts user data.
- February 2, 2026: A hacker using the alias "w1kkid" posts a CSV file titled "substack.csv" on BreachForums containing 697,313 records [1].
- February 3, 2026: Substack finally discovers the breach, after the data is already public on a cybercrime forum.
- February 5, 2026: CEO Chris Best emails affected users. Journalist Shannon Liao shares the notification on X, making it public [2].
Four months. The data sat exposed for four months before Substack caught it. And they didn't catch it through their own monitoring: a hacker posting their stolen data on a public forum is what triggered the discovery [3].
Best's email to users read: "I'm incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here" [4].
"Came up short" is one way to describe a four-month detection gap.
What's in the Dump
The leaked CSV isn't just emails and usernames. Security researchers who analyzed the BreachForums post found the records contain [1][5]:
- Full names and user IDs
- Email addresses and phone numbers
- Stripe payment IDs, linking accounts to the payment processor
- Profile pictures hosted on Substack's S3 buckets
- Biographies and social media handles
- Account creation dates and update timestamps
- Internal flags:
is_global_admin,is_ghost,is_globally_banned,session_version,has_passed_captcha - Publisher agreement timestamps and newsletter handles
- Notification preferences and moderation flags
Those internal flags (is_global_admin, is_ghost, session_version) are not the kind of fields you get from scraping public profiles. They're backend database fields. This wasn't a simple API scrape. This was a system-level breach [5].
Substack insists that passwords, credit card numbers, and financial data were not accessed [4]. But with Stripe IDs in the dump, attackers have a direct link to payment infrastructure. And since Substack uses "magic link" email authentication instead of passwords, the email addresses themselves are the keys to the kingdom.
Why This Breach Is Different
Most data breaches hit platforms where people use pseudonyms, throwaway emails, or minimal personal information. Substack is different.
Substack writers use their real names. They attach their real phone numbers. They write under their actual identities because the platform's entire model is built on personal reputation. The people who chose Substack did so because they wanted to build audiences around who they actually are.
That means the 697,313 records in this dump aren't a pile of random usernames and burner emails. They're a curated list of real people (many of them journalists, political commentators, activists, and independent writers) with their verified contact information attached.
For an authoritarian government, a stalker, or a harassment campaign, this is a ready-made target list.
The SIM-Swap Problem
Phone numbers are the prize here. When you combine a real name, a verified email, and a phone number, you get everything needed for a SIM-swap attack.
Here's how it works: An attacker calls the victim's mobile carrier, convinces them to transfer the phone number to a new SIM card, and suddenly intercepts every text message, two-factor authentication code, and phone call intended for the victim. From there, they can take over email accounts, social media, banking: anything tied to that phone number.
Substack's user base isn't random consumers. It skews heavily toward people who write about politics, government accountability, human rights, and technology. People with opinions that make them targets. The same people who are most likely to be targeted by state actors, doxxing campaigns, and organized harassment already have their phone numbers circulating on a cybercrime forum.
Substack's notification email even hinted at this risk, advising users to "exercise extra caution regarding suspicious text messages" [4]. They know what's coming.
The Publisher Problem
The breach didn't just hit subscribers. Analysis of the leaked database shows records belonging to active publishers, accounts linked to monetized newsletters. Publisher agreement timestamps, newsletter handles, and biographies are all present in the data [5].
That means the people running paid Substack publications (many of whom depend on the platform for their livelihood) now have their backend account data exposed. Combined with Stripe IDs, this gives attackers a roadmap to the financial infrastructure behind independent journalism.
Substack Calls It "Internal Metadata"
In the breach notification, Substack described the exposed data as "email addresses, phone numbers, and internal metadata" [4]. That phrasing does a lot of heavy lifting.
"Internal metadata" covers everything from admin flags to session tokens to moderation history. It's the kind of data that reveals how Substack categorizes its users internally: who's flagged, who's banned, who's got admin privileges. In the wrong hands, that information is a blueprint for targeting specific accounts.
Substack hasn't publicly disclosed exactly which metadata fields were exposed. But the BreachForums post doesn't leave much to the imagination.
What You Should Do
If you have a Substack account, as a writer or subscriber, assume your data is compromised. Here's what to do now:
- Change your phone number's carrier PIN. Call your mobile provider and set a porting PIN or passcode. This makes SIM-swap attacks significantly harder.
- Switch to an authenticator app for 2FA. Stop using SMS-based two-factor authentication on every account that supports it. Use Aegis, Google Authenticator, or a hardware key.
- Watch for phishing. Attackers now have your name, email, and phone number. Expect highly personalized phishing attempts that reference your Substack activity.
- Check HaveIBeenPwned. Troy Hunt's Have I Been Pwned will likely add this breach dataset. Check if your email appears.
- Review your Stripe account. If you're a paid Substack publisher, log into Stripe directly and verify no unauthorized changes have been made.
- Consider your threat model. If you write about topics that attract targeted harassment (politics, human rights, surveillance, government accountability), treat this as a serious escalation of your personal risk.
The Trust Problem
Substack pitched itself as a home for independent voices. Journalists left legacy publications for it. Activists built audiences on it. Political dissidents wrote under their real names on it because they trusted the platform to protect their identity.
That trust took years to build. A four-month detection gap, a cybercrime forum post, and 697,313 exposed records just shattered it.
Chris Best says Substack has "fixed the problem" and is "taking steps to improve our systems" [4]. But the data is already out there. You can't un-leak 700,000 phone numbers. You can't un-expose the real identities of journalists and activists who trusted your platform to keep them safe.
The question isn't whether Substack can fix its security. It's whether the people who trusted it with their real identities will pay the price for its four months of silence.
Sources
- Cyber Insider: Substack suffers apparent data breach affecting nearly 700,000 users (February 2026)
- SecurityWeek: Substack Discloses Security Incident After Hacker Leaks Data (February 2026)
- The Record: Substack warns customers of data breach following hacker's dark web claims (February 2026)
- Security Affairs: Hacker claims theft of data from 700,000 Substack users; Company confirms breach (February 2026)
- Hackread: Substack Breach: 662,752 User Records Leaked on Cybercrime Forum (February 2026)
Published: February 6, 2026