Substack took four months to tell anyone
On February 6, 2026, Substack disclosed a data breach affecting roughly 697,313 user records. The breach itself happened the previous October. Substack sat on the disclosure for four months, while writers were leaving over the 10% fee anyway.
On February 6, 2026, Substack confirmed a data breach affecting approximately 697,313 user records. The breach itself happened the previous October. The company sat on the disclosure for about four months.
The May 2026 writer exodus is a separate story, but they share an underlying point. High-profile writers including Casey Newton at Platformer had been leaving Substack since 2024 over the platform's content-moderation stance. This year the migration accelerated, driven by something less philosophical: the 10% commission on subscription revenue, plus the realization that Substack's Recommendation Network, Notes followers, and comment history don't move with the writer the way an email list or Stripe customer data does.
Both stories are about a power imbalance. Substack holds the audience, the data, the inbox, the recommendation graph, and the disclosure timeline. The writers borrow them.
A four-month delay between breach and disclosure is usually some combination of internal forensics, legal review, and a calculation that earlier disclosure costs more than later disclosure does. The decision belongs to Substack. Affected writers and readers can't opt into a different timeline.
For newsletter writers reading this on Beacon's blog, the structural lesson is the same one I keep returning to. You can host your newsletter on Substack and accept the deal — 10% off the top, social graph held hostage to the platform, breach disclosure timeline at Substack's discretion. Or you can run it from somewhere that doesn't take those things in trade. Ghost is the obvious destination, which is why this site runs on it; Beehiiv is another commonly cited alternative. Self-hosted Ghost is the maximum-ownership option, if you're willing to run it.
Beacon's job here is one layer up from the newsletter. The hub for your readers (the page where they find your work, where new posts get linked from, where your other channels live) is the part that should sit on your domain regardless of which newsletter platform you're using. If your newsletter has to migrate, your hub doesn't.
Writers who left this spring took their email list and their Stripe data and started over on Ghost or Beehiiv. They left behind the recommendation graph, the Notes followers, and the years of comment history. The platform's grip on the audience graph is the part that hurts to lose.