Substack data leak
Imposition of age-verification requirements
A large number of Substack users will have received a short e-mail authored by Substack Inc.’s CEO, Chris Best, informing them of a data breach at Substack. Under normal circumstances one could express sympathy with the company for the hack and then move on. However this is one of a number of strange things are happening at Substack including the inappropriate imposition of age-verification requirements.
The short e-mail message received today fails to mention the scale of the data breach and informs the recipient that data breach resulted in the “email address from your Substack account being shared.” Online reporting suggest that this breach relates to nearly 700,000 records, this can be compared with a total claimed user base of 20 million monthly active subscribers.
The e-mail also makes clear the data was accessed in October 2025 and it is not really clear why it took several months to inform people about the data breach. The e-mail doesn’t include links to resources produced by the Federal Trade Commission and others which advise consumers about actions that they could take after a data breach.
Imposition of age-verification requirements
Data breaches happen and according to the e-mail, sensitive information about credit card numbers and financial information were not accessed. In addition to the data breach headache, we’ve experienced a very poor response (no response actually) from our queries to Substack relating to the imposition age-verification requirements to access part of our content. These restrictions seem to apply both to notes and direct messages.
Some message threads just shrug this development off as Substack’s compliance with various legal requirements including the UK Online Safety Act. That however is not true since age-verification requirements only apply to harmful content, which is generally pornography and information on self-harm. In fact, the UK regulator (Ofcom) has explicitly stated that providers have no legal basis to impose age-verification requirements on non-harmful content.
I am pretty sure that restricting access to our notes qualifies as “unnecessary content restrictions.” A group of creators with over 60,000 subscribers in aggregate wrote to Substack about this and so far Substack has failed to respond to e-mails (tos@substackinc.com), direct messages and tags in Substack posts. Since first writing one month ago, our group has now expanded to include Kit Klatenberg and Robina Qureshi and now has over 80,000 subscribers in aggregate.
Signatories to the 7th Jan 2026 letter
The inappropriate imposition of these age requirements is having a significant negative impact on our subscribers who, quite reasonably, don’t want to submit passport, driving license and/or other information to go through the age-verification process. Some creators are seeing a steady decline in paid subscribers and gross annualized revenue from October 2025 onwards. The chart below shows that the steady income reduction for Thinking Coalition from October 2025 onwards is completely at odds with the continued growth in subscribers (orange). Also, the fall from October 2025 is a significant reversal of a steady trend of fairly steady growth throughout 2025. These trends are illustrated within the dotted circle.
People may have been tightening their belts towards Christmas and everyone is facing cost of living challenges, but the revenue developments suggest a response to administrative forces rather than market factors. A number of dissident authors have seen these counter-intuitive trends.
Conclusions
The data privacy requirements imposed on corporates are generally pretty weak and rely on self-regulation and adherence to a Data Privacy Framework. Substack itself complies with the EU-US Data Privacy Framework. This mainly regulates the way in which companies handle, store and potentially sell data rather than imposing requirements on safekeeping. Class Action lawsuits seem to be the major remedy to seek compensation for data breaches. But even here awards are modest and relate primarily to requiring a company to monitor people’s credit ratings to prevent fraudsters taking out loans in their names. Even a very large data breach like Capital Health System’s loss of around ten million files including sensitive information on names, e-mail addresses, social security numbers and clinical information resulted in a damages award of USD 4.5 million.
Data breaches are part of today’s online reality and no one seems to be completely immune from this problem. Having said that our experience in interacting with Substack has not been positive, like many of today’s faceless organisations they seem to ignore reasonable requests for clarification. Being told that Substack has lost my data just adds to a list of poor interactions with this company which has so much promise.
If you are a creator or a subscriber who would like to co-sign the letter to Substack then please contact me on info@thinkingcoalition.org, the full text of the letter is available in various notes including via the link provided.
Many thanks
Alex
Alex Kriel is by training a physicist and was one of the first people to highlight the flawed nature of the Imperial COVID model. He spent his career in consultancy and fund management including a long stint in Russia. His last job was in one of the world’s largest pension funds where he handled corporate governance issues and shareholder voting over a portfolio of 2,300 equity investments. He is a founder of the Thinking Coalition which comprises a group of citizens who are concerned about government overreach and are developing practical solutions to protect inalienable individual liberties (www.thinkingcoalition.org)
Have you another way for us to throw you a few quid monthly? I hate the for profit paypal et al, but would consider any viable method.
Hoodie wearing hackers tapping away at laptops in a dark room are a myth. This sort of stuff is accessed by employees or contractors deliberately, most likely for money. I cannot even connect my work phone to my work computer to move pictures from one to the other.