What Creators Must Do Now After Substack’s February 2026 Data Breach: Protect Subscribers, Revenue, and Trust

Why this matters to creators (short)

• Exposed contact data fuels phishing and SIM‑swap attacks that can trick your audience and damage renewals or conversions. ^[2]
• Even if payment data wasn’t leaked, lost trust or poor deliverability will cost paying subs and future signups. ^[3]
• Threat actors claim to have posted ~700K records from the incident — treat every subscriber as potentially targeted. ^[4]

Three immediate actions (first 48 hours)

1) Lock down and export your data (30–90 minutes)

• Export your full subscriber CSV from Substack immediately (Emails, paid/free status, phone numbers). Substack supports subscriber export; do this now so you control a copy of your list. ^[5]
• Back up posts, payment history, and media assets (audio/video) — store encrypted copies in Google Drive, Dropbox, or other secure storage. ^[6]
• If you use third‑party tools (Zapier, CRM, email tools), review connected apps and revoke tokens you don’t recognise. No change is too small in the first day.

2) Immediate subscriber protection (hours)

• Send a calm, short notification to paid subscribers only (see template below). Use Substack or your exported list — but avoid mass SMS unless you control the sender identity.
• Advise subscribers to be on guard for phishing, not to click unexpected links, and to verify any SMS/call by contacting you through a known channel. Cite Substack’s disclosure to show transparency. ^[7]
• If you collect payments elsewhere too (Patreon, Gumroad, Stripe), confirm no payment compromise there — post a short reassurance.

3) Harden your publishing & payment setup (next 48 hours)

• Enable two‑factor authentication (2FA) on your Substack account, Stripe, email, and any admin tools. Require strong passwords and unique recovery contacts.
• Check DNS and email authentication: publish or verify SPF, DKIM and DMARC for your domain if you use a custom domain (this reduces domain spoofing and phishing risk). Major inbox providers now expect strong authentication—this is non‑optional for reliable delivery. ^[8]
• Consider adding an approved forwarding/domains policy and a monitoring tool (OnDMARC/Red Sift) so you get alerts if spoofing attempts appear. ^[9]

Short to mid‑term revenue and trust playbook (1–6 weeks)

1) Rebuild trust with a precise comms plan

• Publish one long‑form piece explaining what happened, what you did (exported list, revoked tokens, enabled 2FA), and what subscribers should watch out for. Transparency reduces churn. (Keep it factual and dated.) ^[10]
• Offer an optional live Q&A or AMAs with paid subscribers to answer questions and show you’re accountable (boosts retention).

2) Convert at‑risk subscribers into higher‑commitment revenue (safely)

When trust wavers, members who choose deeper, paid access are more likely to stay if they feel secure and valued. Consider a short, low‑friction upsell:

• Offer a limited‑time "security‑first" tier: a private chat room + monthly AMAs + early access ($3–$7/month incremental). Keep pricing simple and clearly tied to extra value.
• Run a targeted retention campaign to paid subscribers: one‑click renewal reminders, a “thank‑you” offer (1 month free for yearly upgrades), or a referral incentive for verified referrals.

3) Diversify where your money lives (revenue resilience)

Exporting your list makes migration possible. If you want to reduce platform concentration risk, evaluate these options:

Sources: platform pricing overview and recent guides — Substack takes ~10%; Ghost/beehiiv use Stripe and different pricing models. Use this to model your migration ROI. ^[11]

Practical migration checklist (if you choose to move or add a mirror)

1. Export subscribers (Substack Settings → Subscribers → Export). Save CSVs for free vs paid segments. ^[12]
2. Set up target platform (Ghost / beehiiv / ConvertKit) and connect Stripe before importing paid members. ^[13]
3. Import CSV, map paid/free tags, send a welcome migration email with clear instructions and an easy opt‑out. Test deliverability on small batches first.
4. Keep Substack live during migration; stagger invites and include incentives to migrate (exclusive content, discount). Monitor churn weekly and adjust messaging.

Technical checklist: email deliverability & anti‑phishing (must do)

• Publish and verify SPF, DKIM and DMARC records for your domain; move DMARC to enforcement (p=quarantine → p=reject) only after monitoring to avoid accidental delivery loss. Major providers expect these in 2026. ^[14]
• Use a reputation/monitoring tool (Google Postmaster, Red Sift, OnDMARC) and subscribe to complaint feedback loops. ^[15]
• Require 2FA for any account with subscriber or payment access; rotate API keys and webhooks.
• Publish a canonical verification page on your site listing official channels so subscribers can verify messages (e.g., “Official messages come from: [you@yourdomain.com] or text from +1‑555‑222‑3333”).

Real numbers to model impact (example scenarios)

Subscriber communication examples (templates)

What to monitor (KPIs) — 0–90 days

• Churn rate for paid subs (weekly) — anything >1.5–2%/week signals messaging or trust issues.
• Email open rates and bounce rates — sudden drops suggest deliverability problems (fix SPF/DKIM/DMARC). ^[17]
• Support contacts about suspicious messages — track volume and origin.
• Migration opt‑in rate if you invite subs to a mirror platform.

Further reading & tools

• Substack’s announcement and coverage (disclosure details). ^[18]
• Security reporting and risk (SANS / CSO coverage). ^[19]
• Email authentication and DMARC guides (Red Sift, DMARC Report). ^[20]
• Platform pricing and migration resources (Ghost, beehiiv, Substack pricing analyses). ^[21]

Note: multiple security outlets and media reports indicate the breach was discovered on Feb 3, 2026 and that some threat actors claim to be selling ~700K records. Treat any contact to your subscribers as higher‑risk until you confirm otherwise. ^[22]

Final verdict — three practical takeaways (actionable)

Sources: Substack disclosure and coverage (The Verge, CSO Online), breach reporting (TechRadar), SANS NewsBites, email‑security guidance (Red Sift, DMARC Report), and platform pricing/migration resources (TechRadar, beehiiv, Ghost migration guides). ^[26]