SoundCloud data breach exposes 29.8 million user accounts
NEWNow you can listen to News articles!
Hackers have exposed personal and contact information linked to SoundCloud accounts, with data breach notification service Have I Been Pwned reporting impacts to approximately 29.8 million users. The breach affected one of the world’s largest audio platforms and left many users locked out with error messages before the company confirmed the incident.
Founded in 2007, SoundCloud has grown into an artist-only service hosting over 400 million tracks from over 40 million creators. That scale made this incident especially concerning. SoundCloud said it detected unauthorized activity linked to an internal service panel and launched its incident response process. At that time, users reported 403 Forbidden errors, especially when connecting via VPN.
Sign up to receive my FREE CyberGuy reportGet my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM fact sheet
149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIALS LEAK
SoundCloud confirmed unauthorized activity after users reported access errors, prompting an internal response to the incident. (iStock)
What data was exposed in the SoundCloud leak?
SoundCloud initially said the attackers accessed limited data and did not touch passwords or financial information. The company said the information exposed matched what users already publicly display on their profiles.
Subsequent revelations painted a much broader picture.
According to Have I Been Pwned, the attackers collected data from approximately 29.8 million accounts. That data included:
- Email addresses
- Usernames and display names
- Profile photos and avatars.
- Follower and followers
- Geographic locations, in some cases.
While no passwords were taken, linking emails to public profiles creates a real risk. That combination fuels phishing, spoofing, and targeted scams.
Who is behind the attack?
Security researchers linked the breach to ShinyHunters, a well-known extortion ring. Sources told BleepingComputer that the group attempted to extort SoundCloud following the data breach. SoundCloud later confirmed those claims. In a January update, the company said the attackers made demands and launched email campaigns to harass users, employees and partners. ShinyHunters has also claimed responsibility for recent voice phishing attacks targeting single sign-on systems at Okta, Microsoft, and Google. Those attacks targeted corporate SaaS accounts to steal data and extort money.
Why this breach matters even without passwords
At first glance, this may seem less serious than password or credit card breaches. That assumption can be dangerous. Email addresses linked to real profiles allow scammers to craft convincing messages. They can impersonate SoundCloud, brands, or even other creators. With the number of followers and usernames, the messages feel personal and credible. Once attackers gain trust, they send fake links, malware, or login pages. This is how major account acquisitions typically begin.
What SoundCloud users should expect next
SoundCloud has not said whether more details will be released. The company confirmed the attack and the extortion attempt, but did not answer follow-up questions about the scope or internal controls. For users, the long-term risk comes from the wide dissemination of this data set. Once published, exposed data rarely disappears. It has circulated through forums, markets and fraudulent networks for years.
We reached out to SoundCloud for comment and a representative told us, “We are aware that a group of threat actors has posted online data purportedly taken from our organization. Please note that our security team, supported by leading third-party cybersecurity experts, is actively reviewing the claim and the posted data.”
SoundCloud has said it has found no evidence that sensitive data, such as passwords or financial information, was accessed.
Ways to stay safe after SoundCloud breach
If you have or had a SoundCloud account, now is the time to act. Even limited data exposure can lead to targeted scams if ignored.
1) Be on the lookout for phishing and spoofing emails
Scammers often act quickly after a breach. Keep an eye on your inbox for messages that mention SoundCloud, music uploads, copyright issues, or account warnings. Don’t click on links or open attachments from unexpected emails. If in doubt, go directly to the official website instead of using email links. Powerful antivirus software adds another layer of protection here.
Emails and public profile data were collected from nearly 29.8 million accounts, raising concerns about phishing and spoofing. (Cyberguy.com)
The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com
2) Change your SoundCloud password anyway
Passwords weren’t exposed, but changing them is still smart. Create a new password that you don’t use anywhere else. If it seems impossible to remember passwords, consider using a password manager to generate and securely store strong passwords. This reduces the risk of reuse between platforms.
Next, check to see if your email has been exposed in previous breaches. Our number one password manager (see Cyberguy.com) includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com
3) Activate two-factor authentication
Two-factor authentication (2FA) adds a critical barrier if someone tries to access your account. Even if attackers guess or obtain a password later, they still need a second verification step. Enable 2FA anywhere SoundCloud or connected services offer it.
4) Lock your email account
Your email is the real target after most breaches. If someone gains access to it, they can reset passwords elsewhere. Use a unique, strong password for your email account and enable two-factor authentication. Review recovery emails and phone numbers to make sure they still belong to you.
DATA BREACH EXPOSES THE INFORMATION OF 400,000 BANK CUSTOMERS
5) Reduce your online data footprint
Attackers use hacked emails to search for more details on data broker sites and social platforms. The less data available, the harder it is to target. Consider a data erasure service to limit how often your email and personal data appear on the web.
While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com
Get a free scan to find out if your personal information is already available on the web: Cyberguy.com
6) Check your other accounts for suspicious activity
Attackers often reuse exposed email addresses to test logins to streaming services, social networks, and shopping accounts. Be on the lookout for unsolicited password reset emails or login alerts from unknown locations. If something seems strange, act quickly.
Security researchers linked the breach to the extortion group ShinyHunters, which then attempted to pressure SoundCloud into paying up. (Thomas Trutschel/Photothek via Getty Images)
Kurt’s Key Takeaways
Data breaches are no longer limited to one application or time. Even when attackers expose information that appears harmless, the consequences can last much longer. The SoundCloud leak shows how public profile data combined with private contact details creates real exposure. Staying vigilant, limiting data sharing, and using strong security habits remain your best defense as breaches continue to increase.
Have you checked which old or forgotten accounts are still exposing your email and could put you at risk right now? Let us know your opinion by writing to us at Cyberguy.com
CLICK HERE TO DOWNLOAD THE News APP
Sign up to receive my FREE CyberGuy report Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM fact sheet
Copyright 2026 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.