SoundCloud Data Breach Exposes 29.8 Million Accounts
▼ Summary
– Hackers breached SoundCloud and stole personal data from approximately 29.8 million user accounts, including email addresses and public profile information.
– The company confirmed the December incident, stating no sensitive financial or password data was accessed in the breach.
– The attack was carried out by the ShinyHunters extortion gang, which made demands and harassed users and employees with email flooding tactics.
– The stolen data consisted of information like email addresses, names, usernames, geographic locations, and profile statistics already visible on public profiles.
– The same threat group, ShinyHunters, has also recently claimed responsibility for voice phishing attacks targeting major single sign-on accounts at companies like Okta, Microsoft, and Google.
A significant data security incident has impacted the popular audio streaming service SoundCloud, with personal information from nearly 30 million user accounts being compromised. The breach, which occurred in late 2025, involved unauthorized access to an internal service dashboard, leading to the exposure of a substantial portion of the platform’s user base. While the company states that sensitive financial or password data was not accessed, the stolen information still poses considerable risks for those affected.
The platform, known for hosting over 400 million tracks from artists globally, first detected the unusual activity in December. Users began reporting access issues, including “Forbidden” errors when connecting through VPN services, prompting an official investigation. SoundCloud activated its incident response plan and later confirmed that a threat actor had obtained limited data. According to the company, this data consisted primarily of email addresses and information already visible on public user profiles.
Independent analysis from the data breach notification service Have I Been Pwned has since revealed the full scope of the incident. The service reported that the breach impacted 29.8 million accounts, with the stolen dataset including email addresses, geographic locations, names, usernames, and detailed profile statistics like follower counts. This mapping of public profile data to private email addresses for roughly 20% of SoundCloud’s users creates a potent resource for follow-up phishing and social engineering attacks.
The extortion group known as ShinyHunters has been identified as responsible for the attack. Sources indicate the group not only stole the data but also attempted to extort SoundCloud directly. The company acknowledged these tactics in a January update, noting that the threat actors “made demands and deployed email flooding tactics to harass users, employees, and partners.” The data was subsequently released publicly the following month after these extortion attempts.
This incident is part of a broader pattern of activity from the ShinyHunters group, which recently claimed responsibility for a series of voice phishing attacks targeting single sign-on accounts at major technology firms. These tactics are designed to compromise corporate SaaS platforms, highlighting the group’s focus on stealing data for financial extortion. SoundCloud users are advised to remain vigilant for suspicious emails and to enable multi-factor authentication on any accounts where their compromised email address is used.
(Source: Bleeping Computer)
