- Severity
- high
- Records
- 29,800,000
- Vector
- Internal System Compromise — access to ancillary service dashboard
- Organization
- SoundCloud
- Incident Date
- 2025-12-15
What Happened
SoundCloud, the popular audio streaming platform with approximately 140 million users, suffered a data breach that exposed personal information of 29.8 million accounts—roughly 20% of its user base. The ShinyHunters hacking group claimed responsibility and leaked the data after SoundCloud refused to pay an extortion demand.
Incident overview
| Attribute | Details |
|---|
| Victim | SoundCloud |
| Industry | Music/Audio streaming |
| Discovery date | December 15, 2025 |
| HIBP addition | January 2026 |
| Accounts affected | 29,800,000 |
| Attack method | Internal system compromise |
| Threat actor | ShinyHunters |
| Ransom demanded | Yes |
| Ransom paid | No |
| Data leaked | Yes (publicly released) |
Timeline
| Date | Event |
|---|
| December 15, 2025 | Users report 403 errors, VPN access blocked |
| December 15, 2025 | SoundCloud confirms breach |
| December 2025 | ShinyHunters issues extortion demand |
| January 2026 | SoundCloud refuses payment |
| January 2026 | ShinyHunters releases stolen data |
| January 2026 | Have I Been Pwned adds breach |
| January 2026 | Email flooding harassment campaign begins |
Data exposed
Confirmed compromised
| Data type | Status |
|---|
| Email addresses | Confirmed |
| Full names | Confirmed |
| Usernames | Confirmed |
| Profile images | Confirmed |
| Geographic locations | Some users |
| Follower counts | Confirmed |
| Following counts | Confirmed |
| Profile statistics | Confirmed |
NOT compromised
| Data type | Status |
|---|
| Passwords | Not exposed |
| Payment information | Not exposed |
| Private messages | Not exposed |
How the breach occurred
| Stage | Details |
|---|
| Initial access | Attackers gained access to internal system |
| Data linking | Connected private emails to public profiles |
| Aggregation | Built dataset linking identities at scale |
| Exfiltration | Exported 29.8 million user records |
The breach did not involve direct access to SoundCloud’s main user database. Instead, attackers accessed an ancillary service dashboard that allowed them to link private email addresses with publicly visible profile information.
Why this matters
While much of the exposed data was publicly visible on SoundCloud profiles, the breach creates significant risk through data aggregation:
| Risk | Impact |
|---|
| Phishing attacks | Emails linked to real identities |
| Credential stuffing | Email/username combinations for other services |
| Social engineering | Profile details enable targeted attacks |
| Spam campaigns | 29.8 million valid email addresses |
ShinyHunters tactics
The threat actor employed multiple pressure tactics:
| Tactic | Description |
|---|
| Extortion demand | Payment requested to prevent leak |
| Email flooding | Harassment of users, employees, partners |
| Public leak | Data released after refused payment |
| Media notification | Journalists alerted to amplify pressure |
Impact assessment
| Factor | Assessment |
|---|
| Scale | ~20% of SoundCloud users |
| Sensitivity | Moderate (mostly public data + emails) |
| Business impact | Reputational damage |
| User risk | Phishing, spam, credential stuffing |
Recommendations
For SoundCloud users
| Priority | Action |
|---|
| Critical | Check Have I Been Pwned for your email |
| High | Change passwords if reused elsewhere |
| High | Enable two-factor authentication |
| High | Watch for phishing emails referencing SoundCloud |
| Medium | Review connected apps and revoke unused |
For organizations
| Priority | Action |
|---|
| High | Segment ancillary systems from user data |
| High | Limit data linking capabilities |
| Medium | Monitor for credential stuffing attempts |
| Ongoing | Train users on phishing recognition |
Context
The SoundCloud breach illustrates how even “limited” breaches create significant risk through data aggregation. By linking private email addresses to public profile information, attackers created a valuable dataset for phishing campaigns and credential attacks.
ShinyHunters has become one of the most prolific data extortion groups, responsible for numerous high-profile breaches in 2025-2026 including Match Group, Crunchbase, Harvard, UPenn, and Panera Bread. Their consistent playbook—breach, extort, leak—demonstrates that refusing ransom doesn’t prevent data exposure but does avoid funding criminal operations.
For affected users, the primary risk is phishing. Attackers now have email addresses linked to real names and profile details, enabling highly targeted social engineering. Vigilance for suspicious emails—particularly those referencing SoundCloud or music-related topics—is essential.
