I am still confused for days whether this is a real news or a hoax. Only a substack user saying they received this email. I did not. And there is no official statement by Substack. What is really going on here?
I've seen the leaked data posted on forums. I'm assuming they're trying to minimize the bad PR from this incident by only doing what's legally required, which is to notify affected users. They're likely not obligated to notify the broader public. Whether they should be obligated to do so is another discussion entirely.
I'm fairly sure even mentioning the name of the forum isn't allowed on HN. It should be trivial to find it yourself, though. I also replied to someone else with the CSV headers if you're only trying to find out what exactly was included in the leak: https://news.ycombinator.com/item?id=46932380
Also, keep in mind that this is a partial leak. The data was scraped from some leaky endpoint which was patched out before every user could be scraped. Only users who were in the partial leak received emails (I have two accounts, only one received an email). If you're a Substack user but didn't receive an email, I'd assume you're not in the leak. Troy Hunt should load it into HIBP eventually, and those concerned can check there if they don't want to seek the leak out on their own.
I'd edit my other reply to this comment but can't anymore.
Here are the columns from the CSV file I've seen being shared around on forums, including the "internal metadata". This mostly boils down to full name on file, email, Stripe customer ID, activity metrics, usernames, and phone numbers. Everything else is largely irrelevant.
This is what I've been saying for years. I really could care less if my passwords were leaked. My phone number, on the other hand, is near-impossible to change. The fact that VoIP/virtual numbers are blacklisted from use almost everywhere doesn't help anything, because otherwise I would just use a ton of cheap rented numbers.
The same goes for full names on file, physical addresses, and other hard-to-change information. Passwords have been the least of my concerns since password managers were invented.
You could, in theory, use a custom domain or email aliasing service like SimpleLogin or Addy to combat the email address issue, though websites like GitHub have been known to block emails created with an aliasing service. I could go on about why that move does next to nothing to combat actual abuse; any spammer worth their salt can just buy a bunch of Gmail accounts or Outlook accounts instead.
Phone numbers are kinda concerning given their popularity as 2FA. A phone number is now basically your shared password for everything. It's also semi public, hard to change and you are basically one SIM swap attack away from a full compromise.
Ooopsie... possibly a problem for some folks: https://www.theguardian.com/media/2026/feb/07/revealed-how-s...
I am still confused for days whether this is a real news or a hoax. Only a substack user saying they received this email. I did not. And there is no official statement by Substack. What is really going on here?
It recently popped up on the HIBP feed; they tend to be pretty careful when checking the veracity of claims.
https://haveibeenpwned.com/Breach/Substack
I've seen the leaked data posted on forums. I'm assuming they're trying to minimize the bad PR from this incident by only doing what's legally required, which is to notify affected users. They're likely not obligated to notify the broader public. Whether they should be obligated to do so is another discussion entirely.
Could you please tell me which forum this was posted on
I'm fairly sure even mentioning the name of the forum isn't allowed on HN. It should be trivial to find it yourself, though. I also replied to someone else with the CSV headers if you're only trying to find out what exactly was included in the leak: https://news.ycombinator.com/item?id=46932380
Also, keep in mind that this is a partial leak. The data was scraped from some leaky endpoint which was patched out before every user could be scraped. Only users who were in the partial leak received emails (I have two accounts, only one received an email). If you're a Substack user but didn't receive an email, I'd assume you're not in the leak. Troy Hunt should load it into HIBP eventually, and those concerned can check there if they don't want to seek the leak out on their own.
According to Have I Been Pwned, 663 thousand accounts were in the breach. You can verify your address there.
Israel hacked a US based company and leaked data because they couldn't directly censor them?
So, is the breach for substack users or for people who subscribed to substack users’ newsletters?
As far as I know, it only contains users who have made Substack profiles. Regular subscribers don't seem to be included, though I could be wrong.
> including email addresses, phone numbers, and other unspecified “internal metadata.”
> Substack specified that more sensitive data, such as credit card numbers, passwords, and other financial information, was unaffected.
I hate it when companies do this.
passwords and credit card numbers are easily changed.
names, emails and phone numbers are not.
I'd edit my other reply to this comment but can't anymore.
Here are the columns from the CSV file I've seen being shared around on forums, including the "internal metadata". This mostly boils down to full name on file, email, Stripe customer ID, activity metrics, usernames, and phone numbers. Everything else is largely irrelevant.
id,name,email,email_confirmed,email_confirmation_token,stripe_platform_customer_id,is_global_admin,is_ghost,created_at,anonymous_id,email_bounce_count,photo_url,publisher_agreement_accepted_at,bio,updated_at,profile_set_up_at,tos_accepted_at,email_digest_at,has_passed_captcha,import_confirmation_required,post_notification_preference,reader_installed_at,activity_items_viewed_at,dismissed_ios_app_promo_at,email_notifications_last_resumed_at,previous_name,release_group,handle,phone,bank_payment_failures,is_globally_banned,session_version
This is what I've been saying for years. I really could care less if my passwords were leaked. My phone number, on the other hand, is near-impossible to change. The fact that VoIP/virtual numbers are blacklisted from use almost everywhere doesn't help anything, because otherwise I would just use a ton of cheap rented numbers.
The same goes for full names on file, physical addresses, and other hard-to-change information. Passwords have been the least of my concerns since password managers were invented.
You could, in theory, use a custom domain or email aliasing service like SimpleLogin or Addy to combat the email address issue, though websites like GitHub have been known to block emails created with an aliasing service. I could go on about why that move does next to nothing to combat actual abuse; any spammer worth their salt can just buy a bunch of Gmail accounts or Outlook accounts instead.
>I really could care less if my passwords were leaked
couldn't*
Please stop. This is a very common saying, despite its technical inaccuracy. I know that you know this. We don’t have to relitigate it.
Phone numbers are kinda concerning given their popularity as 2FA. A phone number is now basically your shared password for everything. It's also semi public, hard to change and you are basically one SIM swap attack away from a full compromise.