SoundCloud Breach Exposes 29.8 Million User Records in Major Data Theft

In a significant data security incident, audio streaming platform SoundCloud has confirmed that hackers breached its systems in December 2025, stealing personal information from approximately 29.8 million user accounts. The breach, which affected roughly 20% of SoundCloud's user base, exposed email addresses, geographic locations, names, usernames, and profile statistics.

Timeline of the Breach

The incident first came to public attention on December 15, 2025, when users began reporting widespread access issues with the platform. Many SoundCloud users encountered 403 "Forbidden" errors, particularly when attempting to access the service through VPN connections. These disruptions signaled the beginning of what would become one of the largest data breaches in the music streaming industry.

SoundCloud quickly activated its incident response procedures after detecting unauthorized activity involving an ancillary service dashboard. The company initially stated that the breach involved only limited data, specifically noting that no sensitive information such as financial details or passwords had been accessed.

However, subsequent investigations revealed a more extensive compromise than initially disclosed. Sources familiar with the investigation told BleepingComputer that approximately 28 million accounts were affected, a figure that SoundCloud later confirmed in its security notices.

The Attackers and Their Methods

The ShinyHunters extortion gang has been identified as the responsible threat actor group. This notorious cybercrime collective has been linked to numerous high-profile breaches across various industries. According to sources, ShinyHunters not only stole the data but also attempted to extort SoundCloud following the breach.

SoundCloud confirmed these extortion attempts in a January 15 update, revealing that the threat actors had "made demands and deployed email flooding tactics to harass users, employees, and partners." This dual-pronged approach of data theft followed by extortion and harassment is characteristic of modern cybercrime operations.

Scope of the Data Compromise

Have I Been Pwned, a prominent data breach notification service, provided detailed information about the extent of the compromised data. The service reported that the breach affected 29.8 million accounts, with attackers harvesting:

• Email addresses (30 million unique addresses)
• User names
• Usernames
• Avatars
• Follower and following counts
• Geographic location data (country information for some users)

Troy Hunt, the creator of Have I Been Pwned, explained that the attackers were able to "map publicly available SoundCloud profile data to email addresses for approximately 20% of its users." This mapping capability significantly increased the value of the stolen data, as it connected public profile information with private contact details.

Security Implications for Users

While SoundCloud has stated that no financial data or passwords were compromised, the exposure of email addresses and profile information still poses significant risks to affected users. Cybersecurity experts warn that this type of data can be used for:

• Phishing campaigns: Attackers can craft highly targeted phishing emails using the stolen profile information to appear legitimate.
• Credential stuffing attacks: If users reuse passwords across multiple services, attackers may attempt to access other accounts using the stolen email addresses.
• Social engineering: The combination of personal details and profile statistics can help attackers build convincing personas for various scams.
• Spam and harassment: The email flooding tactics mentioned by SoundCloud demonstrate how exposed contact information can be weaponized for harassment.

Industry Context and Response

The SoundCloud breach occurs against a backdrop of increasing cyber attacks targeting digital platforms and services. Just last week, ShinyHunters claimed responsibility for a wave of voice phishing attacks targeting single sign-on (SSO) accounts at major providers including Okta, Microsoft, and Google. These attacks could potentially enable breaches of corporate SaaS platforms and subsequent data theft for extortion purposes.

This pattern of attacks highlights the evolving sophistication of cybercrime operations, which increasingly combine data theft, extortion, and harassment tactics. The targeting of ancillary services and dashboards, as seen in the SoundCloud breach, also underscores the importance of securing all components of a digital infrastructure, not just primary systems.

What Users Should Do Now

For the millions of SoundCloud users affected by this breach, security experts recommend several immediate actions:

1. Monitor email accounts closely for suspicious activity or phishing attempts
2. Enable two-factor authentication on all important accounts, especially email
3. Change passwords for any accounts where the same password was used as on SoundCloud
4. Be vigilant about unsolicited communications that reference SoundCloud or music-related content
5. Consider using a password manager to generate and store unique passwords for each service

SoundCloud users can check whether their accounts were affected by visiting Have I Been Pwned and searching for their email addresses. The service has added the SoundCloud breach data to its database, allowing users to verify if their information was compromised.

Broader Implications for the Music Industry

The breach raises questions about data security practices across the music streaming and digital audio industry. As platforms collect increasingly detailed user profiles and engagement metrics, the potential value of this data to cybercriminals grows correspondingly.

Industry analysts suggest that companies in this sector may need to reassess their security postures, particularly regarding the protection of user metadata and profile information. The fact that attackers were able to map public profile data to private email addresses indicates potential vulnerabilities in how these platforms handle data correlation and access controls.

Looking Forward

As investigations continue, questions remain about the full extent of the breach and whether additional data may have been compromised. SoundCloud has not yet responded to requests for updated information about the incident, leaving some uncertainty about the complete impact.

The SoundCloud breach serves as a reminder that even platforms perceived as less likely targets for cyberattacks can fall victim to sophisticated attacks. With over 400 million tracks from more than 40 million artists worldwide, SoundCloud represents a significant repository of cultural and user data that has now been partially exposed.

For the music industry and digital platforms more broadly, this incident may prompt a reevaluation of security practices and user data protection strategies. As cyber threats continue to evolve, the need for robust security measures and transparent communication with users becomes increasingly critical.