Hackers have stolen personal and contact information linked to over 29.8 million user accounts after breaching the systems of SoundCloud, according to disclosures from the company and independent breach investigators.
SoundCloud said it launched its incident response procedures after detecting unauthorized activity tied to an ancillary service dashboard. In a statement provided at the time, the company said attackers accessed only limited data and that no passwords, financial information, or other sensitive credentials were compromised. The exposed information was said to include email addresses and details already visible on public SoundCloud profiles.
While SoundCloud initially did not disclose the number of affected users, reporting later revealed that roughly 20 percent of its user base was impacted. This estimate was later confirmed through a security notice published by SoundCloud.
Further investigation linked the breach to the ShinyHunters extortion group. In a January 15 update, SoundCloud confirmed that the attackers attempted to extort the company and carried out email-flooding campaigns to harass users, employees, and partners.
The full scope of the breach became clear this week when Have I Been Pwned reported that 29.8 million accounts were affected. According to the service, attackers were able to link publicly available SoundCloud profile data to private email addresses. The exposed information included email addresses, names, usernames, avatars, follower and following counts, profile statistics, and, in some cases, users’ geographic locations.
Have I Been Pwned said the attackers later released the stolen data publicly after failing to extort SoundCloud. The breach involved nearly 30 million unique email addresses, making it one of the largest music-platform data exposures in recent years.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
SoundCloud has not yet provided additional technical details about how the attackers gained access. The company did not immediately respond to follow-up questions regarding the incident.
