SoundCloud data breach exposes 29.8 million user accounts

Hackers person exposed idiosyncratic and interaction accusation tied to SoundCloud accounts, with information breach notification work Have I Been Pwned reporting impacts to astir 29.8 cardinal users. The breach deed 1 of the world's largest audio platforms and near galore users locked retired with mistake messages earlier the institution confirmed the incident.

Founded successful 2007, SoundCloud grew into an artist-first work hosting much than 400 cardinal tracks from implicit 40 cardinal creators. That standard made this incidental particularly concerning. SoundCloud said it detected unauthorized enactment tied to an interior work dashboard and launched its incidental effect process. At the time, users reported 403 Forbidden errors, particularly erstwhile connecting done VPNs.

Sign up for my FREE CyberGuy ReportGet my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide — escaped erstwhile you articulation my CYBERGUY.COM newsletter

149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIAL LEAK

SoundCloud confirmed unauthorized enactment aft users reported entree errors, triggering an interior incidental response. (iStock)

What information was exposed successful the SoundCloud breach

SoundCloud initially said attackers accessed constricted information and did not interaction passwords oregon fiscal information. The institution said the exposed accusation matched what users already amusement publically connected profiles.

Later disclosures painted a overmuch bigger picture.

According to Have I Been Pwned, attackers harvested information from astir 29.8 cardinal accounts. That information included:

• Email addresses
• Usernames and show names
• Profile photos and avatars
• Follower and pursuing counts
• Geographic locations, successful immoderate cases

While nary passwords were taken, linking emails to nationalist profiles creates existent risk. That operation fuels phishing, impersonation and targeted scams.

Who is down the attack

Security researchers tied the breach to ShinyHunters, a well-known extortion gang. Sources told BleepingComputer that the radical attempted to extort SoundCloud pursuing the information breach. SoundCloud aboriginal confirmed those claims. In a January update, the institution said attackers made demands and launched email-flooding campaigns to harass users, employees and partners. ShinyHunters has besides claimed work for caller dependable phishing attacks targeting azygous sign-on systems astatine Okta, Microsoft and Google. Those attacks targeted firm SaaS accounts to bargain information and extort.

Why this breach matters adjacent without passwords

At archetypal glance, this whitethorn dependable little superior than breaches involving passwords oregon recognition cards. That presumption tin beryllium dangerous. Email addresses tied to existent profiles let scammers to trade convincing messages. They tin airs arsenic SoundCloud, brands oregon adjacent different creators. With follower counts and usernames, messages consciousness idiosyncratic and believable. Once attackers summation trust, they propulsion links, malware oregon fake login pages. That is often however larger relationship takeovers begin.

What SoundCloud users should expect next

SoundCloud has not said whether much details volition beryllium released. The institution did corroborate the onslaught and the extortion attempt, but it has not answered follow-up questions astir the scope oregon interior controls. For users, the semipermanent hazard comes from however wide this dataset spreads. Once published, exposed information seldom disappears. It circulates crossed forums, marketplaces and scam networks for years.

We reached retired to SoundCloud for comment, and a typical told us, "We are alert that a menace histrion radical has published information online allegedly taken from our organization. Please cognize that our information team—supported by starring third-party cybersecurity experts—is actively reviewing the assertion and published data."

SoundCloud has said it has recovered nary grounds that delicate data, specified arsenic passwords oregon fiscal information, was accessed.

Ways to enactment harmless aft the SoundCloud breach

If you person oregon had a SoundCloud account, present is the clip to act. Even constricted information vulnerability tin pb to targeted scams if you disregard it.

1) Watch for phishing and impersonation emails

Scammers often determination accelerated aft a breach. Watch your inbox for messages that notation SoundCloud, euphony uploads, copyright issues oregon relationship warnings. Do not click links oregon unfastened attachments from unexpected emails. When successful doubt, spell straight to the authoritative website alternatively of utilizing email links. Strong antivirus bundle adds different furniture of extortion here.

Nearly 29.8 cardinal accounts had emails and nationalist illustration information harvested, raising concerns astir phishing and impersonation. (Cyberguy.com)

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.

Get my picks for the champion 2026 antivirus extortion winners for your Windows, Mac, Android & iOS devices astatine Cyberguy.com

2) Change your SoundCloud password anyway

Passwords were not exposed, but changing them is inactive smart. Create a caller password that you bash not usage anyplace else. If remembering passwords feels impossible, see utilizing a password manager to make and securely store beardown passwords. This reduces the hazard of reuse crossed platforms.

Next, spot if your email has been exposed successful past breaches. Our #1 password manager (see Cyberguy.com) prime includes a built-in breach scanner that checks whether your email code oregon passwords person appeared successful known leaks. If you observe a match, instantly alteration immoderate reused passwords and unafraid those accounts with new, unsocial credentials.

Check retired the champion expert-reviewed password managers of 2026 astatine Cyberguy.com

3) Turn connected two-factor authentication

Two-factor authentication (2FA) adds a captious obstruction if idiosyncratic tries to entree your account. Even if attackers conjecture oregon get a password later, they inactive request a 2nd verification step. Enable 2FA anyplace SoundCloud oregon connected services connection it.

4) Lock down your email account 

Your email is the existent people aft astir breaches. If idiosyncratic gains entree to it, they tin reset passwords everyplace else. Use a strong, unsocial password for your email relationship and crook connected two-factor authentication. Review betterment emails and telephone numbers to marque definite they inactive beryllium to you.

DATA BREACH EXPOSES 400,000 BANK CUSTOMERS’ INFO

5) Reduce your online information footprint

Attackers usage breached emails to hunt information broker sites and societal platforms for much details. The little information available, the harder you are to target. Consider a information removal work to bounds however often your email and idiosyncratic details look crossed the web.

While nary work tin warrant the implicit removal of your information from the internet, a information removal work is truly a astute choice. They aren't cheap, and neither is your privacy. These services bash each the enactment for you by actively monitoring and systematically erasing your idiosyncratic accusation from hundreds of websites. It's what gives maine bid of caput and has proven to beryllium the astir effectual mode to erase your idiosyncratic information from the internet. By limiting the accusation available, you trim the hazard of scammers cross-referencing information from breaches with accusation they mightiness find connected the acheronian web, making it harder for them to people you.

Check retired my apical picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com

Get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web: Cyberguy.com

6) Check your different accounts for suspicious activity

Attackers often reuse exposed email addresses to trial logins crossed streaming services, societal media and buying accounts. Watch for password reset emails you did not petition oregon login alerts from unfamiliar locations. If thing looks off, enactment fast.

Security researchers linked the breach to the ShinyHunters extortion group, which aboriginal attempted to unit SoundCloud for payment. (Thomas Trutschel/Photothek via Getty Images)

Kurt's cardinal takeaways

Data breaches nary longer enactment contained to 1 app oregon 1 infinitesimal successful time. Even erstwhile attackers exposure accusation that looks harmless, the fallout tin past overmuch longer. The SoundCloud breach shows however nationalist illustration information paired with backstage interaction details creates existent exposure. Staying alert, limiting information sharing and utilizing beardown information habits stay your champion defence arsenic breaches proceed to escalate.

Have you checked which aged oregon forgotten accounts inactive exposure your email and could beryllium putting you astatine hazard close now? Let america cognize your thoughts by penning to america astatine Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide — escaped erstwhile you articulation my CYBERGUY.COM newsletter 

Copyright 2026 CyberGuy.com.  All rights reserved.