The full extent of what was exposed is less clear. In addition to email addresses and phone numbers, the company mentioned “metadata,” a catch-all term. In its privacy policy, Substack describes a wide range of data this might include, depending on how the site is used, including user IDs, profile pictures, biographies, and IP addresses.
How should Substack users react? Normally, the advice after any data breach is to change the account password. However, Substack’s default access method is via email address, with authentication confirmed by sending a “magic link” to the user’s email address. This removes the problem of password compromise and phishing attacks by not having a password to phish. If optional multi-factor authentication is turned on, the user must additionally enter a onetime code from an app.
Passwords are still possible — users who signed up before 2023 might have one — but in 2026, the user must actively choose to create one. The company doesn’t mention whether this subset of users should consider changing their passwords as a precaution, but did offer the following statement:
