SoundCloud Data Breach and Service Disruption Following Cyberattack
SoundCloud experienced a cyberattack that resulted in unauthorized access to an ancillary service dashboard, leading to the exposure of limited user data. The company confirmed that the attackers accessed email addresses and information already visible on public SoundCloud profiles, affecting approximately 20% of its user base—estimated at around 26 to 28 million accounts. SoundCloud stated that no sensitive data, such as financial or password information, was compromised. In response, the company activated its incident response protocols, engaged third-party cybersecurity experts, and implemented enhanced monitoring, threat detection, and access control measures.
Following the breach, SoundCloud faced multiple denial-of-service attacks that temporarily disrupted the platform's web availability. Additionally, a configuration change made during the incident response process inadvertently disrupted VPN access for users, resulting in widespread reports of 403 "forbidden" errors when attempting to connect via VPN. SoundCloud has since contained the unauthorized access and is working to restore full service, including VPN connectivity, while continuing to audit and reinforce its security posture.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
SoundCloud advises users to watch for phishing and strengthen accounts
In the wake of the breach, SoundCloud urged users to remain alert for phishing attempts and to improve account security, including changing passwords and enabling multi-factor or two-factor authentication. These recommendations were issued because exposed email and profile data could support social engineering attacks.
ShinyHunters linked to breach and alleged extortion attempt
Reports published on December 16, 2025 said the ShinyHunters extortion group was believed to be behind the SoundCloud breach and was allegedly attempting to extort the company by threatening to leak the stolen data. Some reports noted it was unclear whether the same actor also conducted the DoS attacks.
SoundCloud publicly confirms breach affecting about 20% of users
By December 15-16, 2025, SoundCloud confirmed that roughly 20% of its users—reported as about 26 to 28 million accounts—were affected by the data theft. The company stated that only email addresses and public profile data were exposed, not passwords or payment information.
Denial-of-service attacks temporarily disrupt SoundCloud web access
Following containment of the breach, SoundCloud was hit by multiple DoS/DDoS attacks that caused temporary outages on its web platform. Mobile and API services reportedly remained available during these disruptions.
Emergency security changes disrupt VPN access for some users
As SoundCloud implemented configuration and security changes following the breach, some users experienced temporary VPN-related connectivity problems. The company said it was not intentionally blocking VPNs and was working to resolve the access issues.
SoundCloud contains breach and tightens security controls
After detecting the intrusion, SoundCloud activated incident response procedures, engaged third-party cybersecurity experts, blocked unauthorized access, and reviewed monitoring and access controls. The company said it believed the attackers no longer had access to its systems.
Attackers breach SoundCloud via ancillary service dashboard
In December 2025, attackers gained unauthorized access to an internal or ancillary service dashboard at SoundCloud and exfiltrated a user database. The stolen data was limited to email addresses and publicly visible profile information, with no passwords or financial data accessed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
SoundCloud Cyberattack Leaves 28M Users Exposed
techrepublic.com
Open sourceNo, SoundCloud hasn’t started tuning out VPNs. It’s mopping up after a cyberattack
go.theregister.com
Open sourceSoundCloud Confirms Data Breach – Hackers Exfiltrated User Account Data
cybersecuritynews.com
Open sourceSoundCloud breached, hit by DoS attacks
helpnetsecurity.com
Open sourceSoundCloud Hit by Cyberattack, Breach Affects 20% of its Users
hackread.com
Open sourceSoundCloud confirms breach after member data stolen, VPN access disrupted
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SoundCloud Data Breach Exposes 29.8 Million User Records
SoundCloud confirmed unauthorized access to an internal/ancillary service dashboard that enabled attackers to correlate **hidden email addresses** with information already visible on public SoundCloud profiles, impacting roughly **29.8 million accounts** (about **20%** of its user base). Exposed data was primarily **email addresses** plus public-profile metadata (e.g., usernames/display names, avatars, follower/following counts, and other profile statistics); SoundCloud stated **no passwords or financial data** were accessed. Users also reported service disruptions around the time of the incident, including access issues such as `403 Forbidden` errors (notably when connecting via VPN), consistent with post-incident security changes and response actions. Reporting attributed the intrusion and subsequent extortion attempt to the **ShinyHunters** group, with SoundCloud later acknowledging the actor made demands and used harassment tactics such as **email flooding**. The stolen dataset was subsequently leaked and then added to *Have I Been Pwned* for exposure checking, increasing downstream risk of targeted phishing and account-takeover attempts via credential stuffing on other services where users may have reused emails as identifiers. Separate contemporaneous claims by ShinyHunters against other companies (e.g., Panera Bread, CarMax, Edmunds) were reported but are distinct from the confirmed SoundCloud incident and include different alleged access vectors (e.g., stolen SSO codes).
Mar 21, 2026
Multiple High-Profile Data Breaches at SoundCloud, Pornhub, and 700Credit
SoundCloud, Pornhub, and 700Credit have each confirmed significant data breaches impacting millions of users. SoundCloud reported unauthorized access to an ancillary service dashboard, affecting approximately 20% of its 140 million users—about 28 million people. The exposed data included email addresses and information already visible on public profiles, with no passwords or financial details compromised. The incident also caused temporary connectivity issues for some users, particularly those using VPNs, due to configuration changes made during the response. Pornhub notified select Premium subscribers that some user data was exposed following a breach at Mixpanel, a third-party analytics provider, but emphasized that sensitive information such as passwords, payment details, and government IDs were not affected. Pornhub had ceased using Mixpanel in 2021 and was informed of the breach by the vendor. 700Credit, a US-based provider of credit and identity verification services, suffered a third-party supply-chain attack that compromised the personal information of approximately 5.6 million individuals. The breach, which occurred between May and October 2025, involved unauthorized access to names, addresses, dates of birth, and Social Security numbers through a compromised API used by one of 700Credit's integration partners. 700Credit has since shut down the affected API, notified federal authorities, and is offering credit monitoring to victims. These incidents highlight the ongoing risks posed by third-party service providers and the importance of timely breach notification and response.
Mar 21, 2026
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
Mar 21, 2026