SoundCloud data breach exposes 29.8 million user accounts

Hackers have exposed personal and contact information tied to SoundCloud accounts, with data breach notification service Have I Been Pwned reporting impacts to approximately 29.8 million users. The breach hit one of the world's largest audio platforms and left many users locked out with error messages before the company confirmed the incident.

Founded in 2007, SoundCloud grew into an artist-first service hosting more than 400 million tracks from over 40 million creators. That scale made this incident especially concerning. SoundCloud said it detected unauthorized activity tied to an internal service dashboard and launched its incident response process. At the time, users reported 403 Forbidden errors, especially when connecting through VPNs.

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter

149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIAL LEAK

SoundCloud initially said attackers accessed limited data and did not touch passwords or financial information. The company said the exposed information matched what users already show publicly on profiles.

Later disclosures painted a much bigger picture.

According to Have I Been Pwned, attackers harvested data from approximately 29.8 million accounts. That data included:

While no passwords were taken, linking emails to public profiles creates real risk. That combination fuels phishing, impersonation and targeted scams.

Security researchers tied the breach to ShinyHunters, a well-known extortion gang. Sources told BleepingComputer that the group attempted to extort SoundCloud following the data breach. SoundCloud later confirmed those claims. In a January update, the company said attackers made demands and launched email-flooding campaigns to harass users, employees and partners. ShinyHunters has also claimed responsibility for recent voice phishing attacks targeting single sign-on systems at Okta, Microsoft and Google. Those attacks targeted corporate SaaS accounts to steal data and extort.

At first glance, this may sound less serious than breaches involving passwords or credit cards. That assumption can be dangerous. Email addresses tied to real profiles allow scammers to craft convincing messages. They can pose as SoundCloud, brands or even other creators. With follower counts and usernames, messages feel personal and believable. Once attackers gain trust, they push links, malware or fake login pages. That is often how larger account takeovers begin.

SoundCloud has not said whether more details will be released. The company did confirm the attack and the extortion attempt, but it has not answered follow-up questions about the scope or internal controls. For users, the long-term risk comes from how widely this dataset spreads. Once published, exposed data rarely disappears. It circulates across forums, marketplaces and scam networks for years.

We reached out to SoundCloud for comment, and a representative told us, "We are aware that a threat actor group has published data online allegedly taken from our organization. Please know that our security team-supported by leading third-party cybersecurity experts-is actively reviewing the claim and published data."

SoundCloud has said it has found no evidence that sensitive data, such as passwords or financial information, was accessed.

If you have or had a SoundCloud account, now is the time to act. Even limited data exposure can lead to targeted scams if you ignore it.

Scammers often move fast after a breach. Watch your inbox for messages that mention SoundCloud, music uploads, copyright issues or account warnings. Do not click links or open attachments from unexpected emails. When in doubt, go directly to the official website instead of using email links. Strong antivirus software adds another layer of protection here.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com

Passwords were not exposed, but changing them is still smart. Create a new password that you do not use anywhere else. If remembering passwords feels impossible, consider using a password manager to generate and securely store strong passwords. This reduces the risk of reuse across platforms.

Next, see if your email has been exposed in past breaches. Our #1 password manager (see Cyberguy.com) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com

Two-factor authentication (2FA) adds a critical barrier if someone tries to access your account. Even if attackers guess or obtain a password later, they still need a second verification step. Enable 2FA anywhere SoundCloud or connected services offer it.

Your email is the real target after most breaches. If someone gains access to it, they can reset passwords everywhere else. Use a strong, unique password for your email account and turn on two-factor authentication. Review recovery emails and phone numbers to make sure they still belong to you.

DATA BREACH EXPOSES 400,000 BANK CUSTOMERS' INFO

Attackers use breached emails to search data broker sites and social platforms for more details. The less data available, the harder you are to target. Consider a data removal service to limit how often your email and personal details appear across the web.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com

Attackers often reuse exposed email addresses to test logins across streaming services, social media and shopping accounts. Watch for password reset emails you did not request or login alerts from unfamiliar locations. If something looks off, act fast.

Data breaches no longer stay contained to one app or one moment in time. Even when attackers expose information that looks harmless, the fallout can last much longer. The SoundCloud breach shows how public profile data paired with private contact details creates real exposure. Staying alert, limiting data sharing and using strong security habits remain your best defense as breaches continue to escalate.

Have you checked which old or forgotten accounts still expose your email and could be putting you at risk right now? Let us know your thoughts by writing to us at Cyberguy.com

Sign up for my FREE CyberGuy Report Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter 

Copyright 2026 CyberGuy.com.  All rights reserved.