SoundCloud Data Breach Exposes 29.8 Million User Records
SoundCloud confirmed unauthorized access to an internal/ancillary service dashboard that enabled attackers to correlate hidden email addresses with information already visible on public SoundCloud profiles, impacting roughly 29.8 million accounts (about 20% of its user base). Exposed data was primarily email addresses plus public-profile metadata (e.g., usernames/display names, avatars, follower/following counts, and other profile statistics); SoundCloud stated no passwords or financial data were accessed. Users also reported service disruptions around the time of the incident, including access issues such as 403 Forbidden errors (notably when connecting via VPN), consistent with post-incident security changes and response actions.
Reporting attributed the intrusion and subsequent extortion attempt to the ShinyHunters group, with SoundCloud later acknowledging the actor made demands and used harassment tactics such as email flooding. The stolen dataset was subsequently leaked and then added to Have I Been Pwned for exposure checking, increasing downstream risk of targeted phishing and account-takeover attempts via credential stuffing on other services where users may have reused emails as identifiers. Separate contemporaneous claims by ShinyHunters against other companies (e.g., Panera Bread, CarMax, Edmunds) were reported but are distinct from the confirmed SoundCloud incident and include different alleged access vectors (e.g., stolen SSO codes).
Timeline
Jan 27, 2026
Have I Been Pwned adds the SoundCloud breach
On 2026-01-27, Have I Been Pwned indexed the SoundCloud incident and quantified it at 29.8 million affected accounts. HIBP described the breach as attackers mapping public profile data to email addresses before releasing the data publicly.
Jan 1, 2026
Stolen SoundCloud data is publicly leaked online
In January 2026, after the extortion attempt failed, the stolen dataset was publicly released online. Reports said the leak exposed email addresses linked to profile attributes such as usernames, avatars, follower counts, and some location data.
Dec 15, 2025
ShinyHunters attempts to extort SoundCloud after data theft
After exfiltrating the dataset, the attackers—later attributed to the ShinyHunters extortion group—allegedly demanded payment from SoundCloud in exchange for not releasing the data. SoundCloud also acknowledged extortion-related harassment affecting users, employees, and partners.
Dec 1, 2025
SoundCloud discloses breach affecting about 29.8 million accounts
Also in December 2025, SoundCloud disclosed a security incident affecting roughly 29.8 million accounts, about 20% of its user base. The company said exposed data included email addresses and public profile-related information, but not passwords, payment data, or other sensitive private content.
Dec 1, 2025
SoundCloud detects unauthorized access to internal dashboard
In December 2025, SoundCloud identified unauthorized activity involving an ancillary or internal service dashboard that allowed attackers to correlate private email addresses with public profile data at scale. The company began investigating and responding to the incident after detection.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
1 months ago
SoundCloud Data Breach and Service Disruption Following Cyberattack
SoundCloud experienced a cyberattack that resulted in unauthorized access to an ancillary service dashboard, leading to the exposure of limited user data. The company confirmed that the attackers accessed email addresses and information already visible on public SoundCloud profiles, affecting approximately 20% of its user base—estimated at around 26 to 28 million accounts. SoundCloud stated that no sensitive data, such as financial or password information, was compromised. In response, the company activated its incident response protocols, engaged third-party cybersecurity experts, and implemented enhanced monitoring, threat detection, and access control measures. Following the breach, SoundCloud faced multiple denial-of-service attacks that temporarily disrupted the platform's web availability. Additionally, a configuration change made during the incident response process inadvertently disrupted VPN access for users, resulting in widespread reports of 403 "forbidden" errors when attempting to connect via VPN. SoundCloud has since contained the unauthorized access and is working to restore full service, including VPN connectivity, while continuing to audit and reinforce its security posture.
1 months ago
Multiple High-Profile Data Breaches at SoundCloud, Pornhub, and 700Credit
SoundCloud, Pornhub, and 700Credit have each confirmed significant data breaches impacting millions of users. SoundCloud reported unauthorized access to an ancillary service dashboard, affecting approximately 20% of its 140 million users—about 28 million people. The exposed data included email addresses and information already visible on public profiles, with no passwords or financial details compromised. The incident also caused temporary connectivity issues for some users, particularly those using VPNs, due to configuration changes made during the response. Pornhub notified select Premium subscribers that some user data was exposed following a breach at Mixpanel, a third-party analytics provider, but emphasized that sensitive information such as passwords, payment details, and government IDs were not affected. Pornhub had ceased using Mixpanel in 2021 and was informed of the breach by the vendor. 700Credit, a US-based provider of credit and identity verification services, suffered a third-party supply-chain attack that compromised the personal information of approximately 5.6 million individuals. The breach, which occurred between May and October 2025, involved unauthorized access to names, addresses, dates of birth, and Social Security numbers through a compromised API used by one of 700Credit's integration partners. 700Credit has since shut down the affected API, notified federal authorities, and is offering credit monitoring to victims. These incidents highlight the ongoing risks posed by third-party service providers and the importance of timely breach notification and response.
1 months ago