A major data breach at SoundCloud has affected nearly 29.8 million user accounts, according to data breach tracking service Have I Been Pwned, making it one of the largest security incidents in the platform’s history. The incident, first disclosed by the audio streaming platform in December 2025, is now understood to be far larger in scale than initially reported.
SoundCloud, founded in 2007 and home to more than 400 million tracks from over 40 million artists worldwide, confirmed on December 15, 2025, that it had detected unauthorised activity on its systems.
Around the same time, users reported widespread access issues, particularly those using VPN services, who encountered repeated 403 “Forbidden” errors while trying to log in.
Initial Findings And Company Response
In its initial statement in December, SoundCloud said the breach involved an “ancillary service dashboard” and emphasized that no sensitive information, such as financial or password data, had been accessed. According to the company, only email addresses and information already visible on public SoundCloud profiles were involved, affecting approximately 20% of its users.
Upon discovery, SoundCloud said it immediately activated its incident response protocols, contained the activity, and engaged third-party cybersecurity experts to investigate the incident and strengthen its defences. The company also implemented additional security measures, including tighter access controls, improved DDoS protection, and a broader review of internal systems.
Full Impact Revealed By Have I Been Pwned
New data shared by Have I Been Pwned now paints a clearer picture of the incident’s scale. The service revealed this week that data from 29.8 million accounts was harvested in the breach, including email addresses, names, usernames, profile images, follower and following counts, and, in some cases, users’ geographic locations.
While much of this data was publicly visible on SoundCloud profiles, cybersecurity experts warn that the real risk lies in its aggregation. Linking public profile data directly to private email addresses can significantly increase the risk of phishing attacks, spam campaigns, and other forms of social engineering. Once such large datasets are released publicly, they are difficult — if not impossible — to fully contain.
Extortion Attempts And Harassment Campaign
The breach has been attributed to the ShinyHunters extortion gang, a well-known cybercriminal group linked to several high-profile data leaks in recent years. SoundCloud confirmed in a January 2026 update that the attackers attempted to extort the company and used email flooding tactics to harass users, employees, and partners.
Reports suggest the group released the stolen data publicly after those extortion attempts failed, a tactic increasingly used by extortion-focused cybercrime groups to apply pressure and cause reputational damage.
Ongoing Risks For Users
Although SoundCloud maintains that no sensitive login or financial data was compromised, experts warn that affected users remain at risk. Email addresses exposed in large breaches are often reused across multiple services, making them valuable targets for phishing attempts and account takeover efforts elsewhere.
Meanwhile, SoundCloud has urged users to remain vigilant for suspicious messages. The company has reiterated that it will never ask for passwords or login credentials and encouraged users to follow basic cybersecurity practices, such as avoiding clicking on unknown links, verifying the source of unexpected communications, and considering using email filters or aliases to reduce risk.
As of now, SoundCloud has not released a new public statement responding directly to the latest Have I Been Pwned disclosure, and it remains unclear whether all affected users will be notified individually.
Bottomline
The incident highlights a growing trend in cybercrime, where attackers increasingly exploit even publicly available information by combining it with private identifiers like email addresses. For millions of SoundCloud users — particularly independent artists and creators — the breach serves as a reminder that data security incidents can have long-lasting effects well beyond their initial discovery.
