SoundCloud Data Breach Exposes 29.8 Million User Records
SoundCloud confirmed unauthorized access to an internal/ancillary service dashboard that enabled attackers to correlate hidden email addresses with information already visible on public SoundCloud profiles, impacting roughly 29.8 million accounts (about 20% of its user base). Exposed data was primarily email addresses plus public-profile metadata (e.g., usernames/display names, avatars, follower/following counts, and other profile statistics); SoundCloud stated no passwords or financial data were accessed. Users also reported service disruptions around the time of the incident, including access issues such as 403 Forbidden errors (notably when connecting via VPN), consistent with post-incident security changes and response actions.
Reporting attributed the intrusion and subsequent extortion attempt to the ShinyHunters group, with SoundCloud later acknowledging the actor made demands and used harassment tactics such as email flooding. The stolen dataset was subsequently leaked and then added to Have I Been Pwned for exposure checking, increasing downstream risk of targeted phishing and account-takeover attempts via credential stuffing on other services where users may have reused emails as identifiers. Separate contemporaneous claims by ShinyHunters against other companies (e.g., Panera Bread, CarMax, Edmunds) were reported but are distinct from the confirmed SoundCloud incident and include different alleged access vectors (e.g., stolen SSO codes).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Have I Been Pwned adds the SoundCloud breach
On 2026-01-27, Have I Been Pwned indexed the SoundCloud incident and quantified it at 29.8 million affected accounts. HIBP described the breach as attackers mapping public profile data to email addresses before releasing the data publicly.
Stolen SoundCloud data is publicly leaked online
In January 2026, after the extortion attempt failed, the stolen dataset was publicly released online. Reports said the leak exposed email addresses linked to profile attributes such as usernames, avatars, follower counts, and some location data.
ShinyHunters attempts to extort SoundCloud after data theft
After exfiltrating the dataset, the attackers—later attributed to the ShinyHunters extortion group—allegedly demanded payment from SoundCloud in exchange for not releasing the data. SoundCloud also acknowledged extortion-related harassment affecting users, employees, and partners.
SoundCloud discloses breach affecting about 29.8 million accounts
Also in December 2025, SoundCloud disclosed a security incident affecting roughly 29.8 million accounts, about 20% of its user base. The company said exposed data included email addresses and public profile-related information, but not passwords, payment data, or other sensitive private content.
SoundCloud detects unauthorized access to internal dashboard
In December 2025, SoundCloud identified unauthorized activity involving an ancillary or internal service dashboard that allowed attackers to correlate private email addresses with public profile data at scale. The company began investigating and responding to the incident after detection.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
SoundCloud Data Breach Exposes Nearly 30M User Accounts
techrepublic.com
Open sourceData breach exposes 29.8M SoundCloud accounts | SC Media
scworld.com
Open sourceSoundCloud Data Breach Exposes 29.8 Million Personal users Details
cybersecuritynews.com
Open sourceSoundCloud Data Breach 2025: 29.8 Million Accounts Exposed and Indexed by Have I Been Pwned
rescana.com
Open sourceHave I Been Pwned: SoundCloud data breach impacts 29.8 million accounts
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
Mar 21, 2026
SoundCloud Data Breach and Service Disruption Following Cyberattack
SoundCloud experienced a cyberattack that resulted in unauthorized access to an ancillary service dashboard, leading to the exposure of limited user data. The company confirmed that the attackers accessed email addresses and information already visible on public SoundCloud profiles, affecting approximately 20% of its user base—estimated at around 26 to 28 million accounts. SoundCloud stated that no sensitive data, such as financial or password information, was compromised. In response, the company activated its incident response protocols, engaged third-party cybersecurity experts, and implemented enhanced monitoring, threat detection, and access control measures. Following the breach, SoundCloud faced multiple denial-of-service attacks that temporarily disrupted the platform's web availability. Additionally, a configuration change made during the incident response process inadvertently disrupted VPN access for users, resulting in widespread reports of 403 "forbidden" errors when attempting to connect via VPN. SoundCloud has since contained the unauthorized access and is working to restore full service, including VPN connectivity, while continuing to audit and reinforce its security posture.
Mar 21, 2026
Multiple High-Profile Data Breaches at SoundCloud, Pornhub, and 700Credit
SoundCloud, Pornhub, and 700Credit have each confirmed significant data breaches impacting millions of users. SoundCloud reported unauthorized access to an ancillary service dashboard, affecting approximately 20% of its 140 million users—about 28 million people. The exposed data included email addresses and information already visible on public profiles, with no passwords or financial details compromised. The incident also caused temporary connectivity issues for some users, particularly those using VPNs, due to configuration changes made during the response. Pornhub notified select Premium subscribers that some user data was exposed following a breach at Mixpanel, a third-party analytics provider, but emphasized that sensitive information such as passwords, payment details, and government IDs were not affected. Pornhub had ceased using Mixpanel in 2021 and was informed of the breach by the vendor. 700Credit, a US-based provider of credit and identity verification services, suffered a third-party supply-chain attack that compromised the personal information of approximately 5.6 million individuals. The breach, which occurred between May and October 2025, involved unauthorized access to names, addresses, dates of birth, and Social Security numbers through a compromised API used by one of 700Credit's integration partners. 700Credit has since shut down the affected API, notified federal authorities, and is offering credit monitoring to victims. These incidents highlight the ongoing risks posed by third-party service providers and the importance of timely breach notification and response.
Mar 21, 2026