Substack reported a leak of email addresses and phone numbers of users. In this article, I explain why the real risk is not the platform, but your mailbox, how phishing works, and why subscribers and “investigators” are not the same thing.

🧠 Summary Box (for snippets & previews)

Summary

• Substack disclosed unauthorized access to email addresses and phone numbers (accessed Oct 2025, detected Feb 3, 2026).

• The real vulnerability is not posts or profiles — it is your email inbox, where identity and recovery live.

• The most likely downstream risk is phishing, not account hacking.

• Confusion between subscribers and followers distorts how writers understand their audience.

• This article documents patterns and explains how writers should think about sovereignty and visibility.

A note to writers, authors, and readers (start here)

If you felt a shift on Substack — speak.

But I’m changing the vector.

This is not a post about platform drama.
It’s a post about sovereignty.

Because the only thing you truly “own” online is often not your posts, not your audience, not your profile.

It’s your email inbox.

And most people don’t realize that until a breach notice arrives.

Yes: I received the breach notice (one day ago)

One day ago, I received an official email from Substack titled “Notice of Data Breach.”

Substack states:

• Unauthorized access occurred in October 2025.

• It was detected on February 3, 2026.

• Data exposed included email addresses and phone numbers (plus internal metadata).

• Passwords and payment information were not accessed (per Substack).

That’s the news.

Now the important part: what it means for real life.

Why email is your sovereignty (and why this matters)

What is “sovereignty” here?

Sovereignty is not a feeling.
It’s control over access.

Email is where access control converges:

• logins

• password resets

• confirmations

• account recovery

• subscriptions

• receipts

• the paper trail of your digital life

In practice:

Email is the key-ring to everything else.

Even when your work is stored on “platforms,” your email is where platforms authenticate you.

If your email is compromised, the attacker does not need to break Substack.
They just need to convince you.

What “email + phone exposure” changes (without panic)

What was most likely exposed?

Contact data:

• email address

• phone number

• internal metadata (not always publicly defined)

What is the highest-probability risk after contact exposure?

Phishing.

Not a Hollywood hack.
A human hack.

• A fake “Substack security” email

• A fake “confirm your account” message

• A fake “urgent verification required” notice

The goal is not to steal your writing.
The goal is to get you to hand over credentials or approve access.

The core rule (the one people ignore)

Never log in through links inside emails.

Open your browser.
Type the address manually.
Log in from the real site.

This single habit blocks a huge percentage of successful phishing.

Step-by-step checklist (writers + readers)

Step 1 — Treat your email account as the crown jewel

• Use a unique, strong password for your email.

• Turn on two-factor authentication on your email provider.

Step 2 — Audit your “recovery surface”

• Check recovery email and recovery phone for your email provider.

• Remove anything outdated.

Step 3 — Make Substack boring again

• Change your Substack password if it is reused anywhere.

• Do not make 10 changes at once (panic creates mistakes).

Step 4 — Spot the phishing tells

Be suspicious of:

• urgency (“immediate action required”)

• threats (“your account will be closed”)

• forced clicks

• weird domains or misspellings

Step 5 — Save evidence, not anxiety

If something looks off:

• screenshot

• timestamp

• device/channel

Email reality vs app reality (this is where authors get confused)

Some writers quietly admit something uncomfortable:

• They hesitate to send posts to email because they worry it will “annoy” subscribers.

• Meanwhile, many readers consume Substack only through email and rarely open the app or the feed.

These are not preferences. They are two different realities.

If your mental model is “Substack is one place,” you will misread everything:

• “I left a comment but it’s gone.”

• “I liked it but the like vanished.”

• “I replied, but nobody saw it.”

Often the problem is not that you are hallucinating.
It’s that you are looking at the wrong layer.

“Empty accounts” are often not fake accounts

A common suspicion right now is:

• “These must be bots.”

• “These are fake/empty accounts.”

But here is a structural fact that changes the interpretation:

To subscribe to a Substack newsletter, you do not necessarily need a Substack account.
In many cases, an email address is enough.

That means a person can be a real reader in your inbox while looking “empty” inside the app.

Subscribers vs followers: Substack shows them similarly, but they are not the same

Inside Substack, “followers” can look like “subscribers.”
A badge, a follow icon — visually similar.

But email delivery draws a hard line:

• Subscriber (email): this person opted into your newsletter and has an email address on record. This is your reader.

• Follower: this person followed you via a recommendation, a click, or a social action — but may not be receiving your emails.

These are different relationships.
Different commitment.
Different visibility.
Different signals.

If you lump them together, you will misread silence.

The uncomfortable part: I can’t reliably tell who my real readers are

Here is the blunt truth:

Right now, I cannot reliably tell who my real readers are — and who is just following, drifting, or feeding the noise.

In the app, categories are visually collapsed.
In the feed, motion can imitate audience.
In Notes, visibility can imitate loyalty.

So I can see activity — but not always meaning.
I can see signals — but not always people.

That ambiguity is not a personal weakness.
It is a platform design choice.

Next post: Substack export, used with surgical precision

In the next post, I’ll show how to work with Substack’s export as precisely as possible:

• how to extract maximum value from the export

• how to separate subscribers from followers

• how to infer what kind of community you actually have

• how to identify who your real readers are (and who is just feed-noise)

Keep that in mind while reading the rest of this post.

Substack is not one system — it is several systems that can disagree

Think in layers:

1. Email newsletter delivery (the inbox reality)

2. Posts in the app / web feed (the feed reality)

3. Notes (a layer on top of the platform, with its own distribution rules)

4. Comments + likes + metrics (signals that can desync)

This is why people experience “vanishing” actions:

• A comment exists in one layer but is delayed or missing in another.

• A like is recorded but UI state rolls back.

• Notes circulate while the original post remains invisible in the feed.

When you hear “it disappeared,” translate it first as:

Which layer are we talking about?

Only then decide if it’s a bug, a delay, or a visibility shift.

Platform enforcement in the “phishing era” (a real example)

When “phishing” becomes the platform’s keyword, it doesn’t only describe criminals.
It becomes a filter. And filters misfire.

On Feb 06, 2026, writer Jordan Nuttall published a post titled “The Natural Way to View the Future.” He opens with a blunt report:

“As you may have already noticed, my account vanished on Wednesday night. Suspended. Again.”

He says this was the second suspension in a month, again accused of phishing.

I am not using his case as proof of a single cause.
I am using it as a visible symptom of a broader environment:

• contact data exposure → phishing attempts rise

• platforms tighten enforcement → false positives rise

• writers get caught in automated suspicion

And yes — I personally know multiple authors who were hit with Substack bans in recent days. I’m not building a list. I’m showing a pattern: one platform can remove your access overnight.

One platform is like keeping your book inside someone else’s store

If your work only exists inside a single platform’s distribution:

• you are not “publishing”

• you are shelving your book inside a store you don’t control

Or worse: inside a publisher’s warehouse.

They decide what is visible.
They decide what looks “safe.”
They decide what disappears.

That is why I keep returning to one thing:

Email is sovereignty.

Because your inbox is the closest thing you have to a private archive, a receipt trail, and a control surface.

Why this connects to the current glitch wave

I’m not claiming one causes the other.

I’m saying something more concrete:

When a platform is under strain, the first thing that breaks is trust in signals.

And the glitch pattern many users report is signal-breakage:

• email delivered but feed missing

• mobile vs desktop disagreement

• likes/comments disappearing

• metrics rolling back

• chat desync

This is exactly why I refuse to reduce the story to “a breach email.”

Because the breach email points to one thing:

Detection lag

If access is discovered months later, it tells you the platform’s internal visibility has limits.

That matters.
Even if you never see the dashboard.

Symptoms index (if you are searching for words)

• “post not showing in feed”

• “email delivered but not in feed”

• “likes disappeared”

• “comments disappeared”

• “stats rolled back”

• “chat broken / messages missing”

• “mobile shows it, desktop doesn’t”

How to contribute data (simple template)

If you want to help map patterns (not rumors), comment using:

• Date (timezone):

• Channel: Email / Feed / Notes / Chat / Notifications / Dashboard

• Device: iOS / Android / Desktop (browser)

• What happened (1 sentence):

• What you expected (1 sentence):

• Screenshot: yes/no

Precision beats certainty.

What I still cannot reliably tell (and that is the problem)

Here is the blunt truth:

Right now, I cannot reliably tell who my real readers are.

Not because I’m inattentive.
Because Substack collapses categories that should never be collapsed.

Inside the app, “followers” and “subscribers” can look similar.
In the feed, noise can imitate audience.
In Notes, visibility can imitate loyalty.

So I can see motion — but not always meaning.
I can see signals — but not always people.

That ambiguity is not a personal weakness.
It is a platform design choice.

Next post: how to use Substack export with surgical precision

In the next post, I will show how to work with Substack’s export as precisely as possible:

• how to extract maximum value from the export

• how to separate subscribers from followers

• how to infer what kind of community you actually have

• how to identify who your real readers are (and who is just feed-noise)

If you are a writer trying to orient yourself inside this environment, you will want that map.

A second call: writers + readers (end here)

I’m placing this invitation again — deliberately.

Platforms isolate.
Silence turns uncertainty into self-blame.

If you received the breach notice, or if you’ve seen delivery/visibility glitches:

Speak. Timestamp it. Describe it.

Not to rage.
Not to perform.

To rebuild shared reality.

This text stays open. New observations will reshape it.

12) INTERNAL LINKS

1. The Bestseller Substack’s Illusion: When an Author Becomes an Anomaly

2. THE GOD OF ALL ALGORITHMS: Cross-Promotion Substack

3. Findings: What Actually Moves Substack Now — Viral Chat Mechanics

4. How Substack Really Works: Core Audience, Metrics, and Silent Readers Explained

5. Participation vs Your Writing Line: Why Substack Engagement Can Weaken the Work

6. How Substack Really Works: Core Audience, Metrics, On conversion, silence

7. Chats, Notes, Recommendations — and the Quiet Cost of Being Everywhere on Substack

8. How to Build a Complete SEO Package for Substack (Without Losing Your Mind)

9. Results of 5 Months on Substack: A Forensic Analysis of Attention, Metrics, and Hidden Cost

10. A Quiet Discovery Inside Substack: What Recommendations Really Are, and Why They Reveal the Truth You Learn Last

11. 2.5 months ago, I was the only one here. And now it’s you.

• Substack disclosed unauthorized access to email addresses and phone numbers (accessed Oct 2025, detected Feb 3, 2026).

• The real vulnerability is not posts or profiles — it is your email inbox, where identity and recovery live.

• The most likely downstream risk is phishing, not account hacking.

• Confusion between subscribers and followers distorts how writers understand their audience.

• This article documents patterns and explains how writers should think about sovereignty and visibility.

Canonical Reference Block

This text defines the Substack Algorithms and Discovery research cycle.
All related articles analyze how Substack recommends, ranks, and distributes content within its platform architecture.

FAQ

Is Substack algorithmic?
Yes. Discovery and visibility are mediated by multiple algorithmic systems.

Is this about SEO or growth hacks?
No. It is a descriptive analysis, not optimization advice.

Who is this series for?
Writers, researchers, and readers who want to understand how Substack actually works.

This article is the canonical entry point for the Substack Algorithms and Discovery research series.

Research hub:

All texts in this series analyze how Substack algorithms, recommendation systems, and discovery mechanisms distribute and rank content on the platform.