Substack confirms data breach affects users’ email addresses and phone numbers

> some folk

A very specific folk.

Volksgemeinschaft is a German expression meaning "people's community", "folk community", "national community", or "racial community", depending on the translation of its component term Volk.

https://en.wikipedia.org/wiki/Volksgemeinschaft

Looked up NatSocToday on Substack, and they do have the swastika as a banner; they don't even hide or be subtle about it. Full on nazi, in plain sight.

And plot twist, they are anti-Trump.

I'm overwhelmed.

I've seen the leaked data posted on forums. I'm assuming they're trying to minimize the bad PR from this incident by only doing what's legally required, which is to notify affected users. They're likely not obligated to notify the broader public. Whether they should be obligated to do so is another discussion entirely.

According to Have I Been Pwned, 663 thousand accounts were in the breach. You can verify your address there.

It recently popped up on the HIBP feed; they tend to be pretty careful when checking the veracity of claims.

https://haveibeenpwned.com/Breach/Substack

I don't think it's fake - it explains why suddenly I got a ton of "verify your registration to XYZ" emails in the past week.

Do you reside outside of the EU (and outside anywhere where GDPR equivalents are enforced)? Maybe that would explain it.

Under GDPR, a business has the obligation to inform users if they have been affected by a data breach. That could hypothetically explain why Substack would inform some users (those protected by GDPRish legislation) while keeping it quiet towards the rest of them.

it's real, i have the leak.

This is what I've been saying for years. I really could care less if my passwords were leaked. My phone number, on the other hand, is near-impossible to change. The fact that VoIP/virtual numbers are blacklisted from use almost everywhere doesn't help anything, because otherwise I would just use a ton of cheap rented numbers.

The same goes for full names on file, physical addresses, and other hard-to-change information. Passwords have been the least of my concerns since password managers were invented.

You could, in theory, use a custom domain or email aliasing service like SimpleLogin or Addy to combat the email address issue, though websites like GitHub have been known to block emails created with an aliasing service. I could go on about why that move does next to nothing to combat actual abuse; any spammer worth their salt can just buy a bunch of Gmail accounts or Outlook accounts instead.

I'd edit my other reply to this comment but can't anymore.

Here are the columns from the CSV file I've seen being shared around on forums, including the "internal metadata". This mostly boils down to full name on file, email, Stripe customer ID, activity metrics, usernames, and phone numbers. Everything else is largely irrelevant.

id,name,email,email_confirmed,email_confirmation_token,stripe_platform_customer_id,is_global_admin,is_ghost,created_at,anonymous_id,email_bounce_count,photo_url,publisher_agreement_accepted_at,bio,updated_at,profile_set_up_at,tos_accepted_at,email_digest_at,has_passed_captcha,import_confirmation_required,post_notification_preference,reader_installed_at,activity_items_viewed_at,dismissed_ios_app_promo_at,email_notifications_last_resumed_at,previous_name,release_group,handle,phone,bank_payment_failures,is_globally_banned,session_version

Phone numbers are kinda concerning given their popularity as 2FA. A phone number is now basically your shared password for everything. It's also semi public, hard to change and you are basically one SIM swap attack away from a full compromise.

Phone number login in 2026 is really just asking for someone to do a SIM swap attack on the victim's account to steal their identity.

Surely a list of services that allow phone number logins exists so that one can avoid signing up in the first place and we would then see it in another connecting breach.

Also, name, address and phone numbers let you do so many scams.

A friend of mine received a very well-crafted physical letter at his home about resetting his cryto ledger.

He is now very stressed because there are news about people with crypto getting abducted.

And with the ledger leak they have:

- his name and address

- how much money he has on his ledger

They'll also be training on the hack experience to make the next "AI" better at its job.

As far as I know, it only contains users who have made Substack profiles. Regular subscribers don't seem to be included, though I could be wrong.