The SoundCloud data breach disclosed in December 2025 has now been indexed in Have I Been Pwned (HIBP), confirming that nearly 30 million user accounts had their email addresses mapped to public profile data and later leaked online.
The breach impacted approximately 20% of the platform’s users, amounting to 29.8 million accounts. According to SoundCloud’s disclosure, the attack stemmed from unauthorized access to an internal service dashboard, which was exploited to correlate email addresses, normally hidden from public view, with information from publicly accessible user profiles. Exposed data includes usernames, display names, avatars, follower and following counts, and, in some cases, users’ country of origin.
The incident was detected after SoundCloud’s internal monitoring systems flagged suspicious behavior targeting an ancillary dashboard. The company promptly initiated its incident response protocols, isolating the affected systems and bringing in external cybersecurity experts to assist with the investigation. Notably, there was no exposure of sensitive data such as passwords, financial details, or private user content. The firm emphasized that the breach has been fully contained.
SoundCloud is a prominent audio streaming and distribution platform, popular with independent musicians, podcasters, and DJs. With tens of millions of users worldwide, the service plays a crucial role in grassroots audio publishing. However, its global reach also makes it a frequent target for attackers, especially in regions where access may be restricted and VPN usage is high.
After the breach was mitigated, the company suffered a wave of denial-of-service attacks, two of which temporarily disrupted access to the platform. Concurrently, users began reporting VPN-related access issues, which SoundCloud later attributed to misconfigured Web Application Firewall (WAF) settings deployed during its post-breach security overhaul. These changes inadvertently blocked some legitimate traffic, including that from VPN and proxy services, leading to further user frustration.
The actors behind the breach reportedly attempted to extort SoundCloud before leaking the data online in early January 2026. While the company did not name the perpetrators, the attack was linked to the ShinyHunters group, which has leaked the data on its extortion portal. The dataset was then copied and republished on hacker forums.
The inclusion of this breach in HIBP on January 27, 2026, means affected users can now check whether their email addresses were involved. Of the 30 million email addresses exposed, approximately 67% were already known in the HIBP database from previous incidents.
Leave a Reply