TL;DR: Substack says an unauthorized party accessed user account data affecting roughly 697,298 users, including email addresses, phone numbers, usernames, bios, and internal metadata, then posted the dataset on cybercrime forums, increasing phishing and social engineering risk, according to Gurucul. The incident shows how exposed account metadata can become a downstream attack asset even when passwords and payment data are not taken.
NHIMG editorial — based on content published by Gurucul covering the Substack data breach: Threat Intelligence Data Leak - Substack Confirms Security Incident
By the numbers:
- The breach was discovered on February 3, 2026, after it reportedly occurred in October 2025.
Questions worth separating out
Q: What breaks when SaaS account data is exposed even if passwords are not stolen?
A: When account data is exposed, attackers can still mount convincing phishing and impersonation campaigns using email addresses, phone numbers, usernames, profile names, and internal metadata.
Q: Why do exposed profile fields and contact details matter to IAM teams?
A: They matter because IAM controls are only one part of identity security.
Q: How do security teams know whether account-data exposure is being contained?
A: They should look for rapid reduction in external references to the leaked dataset, lower levels of anomalous bulk access, and fewer successful phishing attempts using exposed identity details.
Practitioner guidance
- Classify identity metadata by abuse value Inventory which user fields, internal metadata elements, and support records can be used for phishing, impersonation, or account correlation.
- Review bulk export and support access paths Identify every role that can query, export, or inspect account records at scale, then verify least-privilege scoping, logging, and periodic access review for those paths.
- Detect secondary redistribution quickly Monitor cybercrime forums, messaging channels, and paste sites for redistributed datasets so a breach does not become a long-lived abuse source.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- The incident timeline and the specific discovery sequence that led to public confirmation.
- Sample leak details and the account fields exposed in the dataset.
- The detection and structural control recommendations the source proposes for SaaS environments.
- The incident assessment and severity framing applied to the breach.
👉 Read Gurucul's analysis of the Substack data leak and identity exposure →
Substack data leak: what it means for SaaS account governance?
Explore further
Identity metadata is an abuse-enabling asset, not a background field. This breach did not need password compromise to create material security risk because contact details and profile context are enough to enable believable impersonation. The lesson is that identity governance must cover the data surrounding identities, not only the credentials that authenticate them. Practitioners should treat exposed metadata as part of the identity attack surface.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to Oasis Security & ESG.
A question worth separating out:
Q: Who is accountable when a platform exposes user identity data at scale?
A: Accountability sits with the organisation that controls the data, the privileged access paths, and the detection process around those records. Security, application, and privacy teams all share responsibility, but the owner of the exposed system must ensure access review, monitoring, and incident response are effective.
👉 Read our full editorial: Substack data leak exposes account metadata and phishing risk