Home
Date of Incident:
October 2025
Overview:
In October 2025, Substack experienced a data breach where unauthorized access led to the theft of 697,313 user records, involving email addresses, phone numbers, and internal metadata. Credentials and financial information remained secure, but the exposed personal data heightened the risk of phishing attacks. The breach exploited exposed APIs and inadequate access controls, with attackers leveraging phishing tactics to gain initial access. The incident was reported in February 2026, highlighting the need for vigilance against potential phishing attempts.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Attackers stole email addresses, phone numbers, and other internal metadata of users; no access to credentials or financial information; 697,313 records allegedly stolen and leaked on a hacking forum; potential phishing attempts warned.
Details:
The Substack Data Breach involved unauthorized access leading to the theft of 697,313 user records containing email addresses, phone numbers, and internal metadata. MITRE ATT&CK mapping indicates Initial Access via phishing (T1566) and Credential Access through data from information repositories (T1083). The attackers leveraged exposed APIs and exploited inadequate access controls. IOCs include leaked email addresses and phone numbers available on hacking forums. Log artifacts showed anomalous API calls and unusual data extraction patterns, consistent with data exfiltration tactics. No credential or financial data was accessed, indicating limited scope but high risk of phishing attacks due to exposed PII. The PoC code behavior involved executing automated scripts for data scraping via API endpoints with token reuse vulnerabilities.
Remediation:
Substack’s vendor guidance emphasizes immediate patching of API permission flaws and implementing stricter access controls including OAuth token revocation and rotation. Temporary mitigations suggest enhanced anomaly detection on API usage and multi-factor authentication enforcement. Known workarounds include limiting exposed metadata fields and monitoring user accounts for suspicious activity.
Takeaway for CISO:
This breach highlights the critical importance of securing API endpoints and metadata exposure. While no credentials were compromised, the leaked personal data substantially increases phishing risks. CISOs must prioritize API security, implement robust access controls, and proactively monitor for anomalous data access to reduce attack surface in cloud-based platforms.
