A SoundCloud data breach exposed information from 29.8 million accounts, raising phishing and impersonation risks despite no passwords stolen.
SoundCloud has confirmed a data breach that exposed personal and contact information linked to approximately 29.8 million user accounts, according to breach notification service Have I Been Pwned. The incident affected one of the world’s largest audio platforms and temporarily locked many users out of their accounts before the company acknowledged the issue.
Founded in 2007, SoundCloud hosts more than 400 million tracks from over 40 million creators, making the scale of the breach particularly significant. The company said it detected unauthorized activity connected to an internal service dashboard and activated its incident response procedures after users reported access errors, including “403 Forbidden” messages, often when using VPNs.
Initially, SoundCloud stated that only limited data was accessed and that passwords and financial information were not compromised. However, later findings revealed a broader exposure. Have I Been Pwned reported that attackers obtained data from nearly 29.8 million accounts, including email addresses, usernames, display names, profile images, follower counts, and, in some cases, geographic information.
While login credentials were not stolen, security experts warn that linking email addresses to public profiles significantly increases the risk of phishing, impersonation, and targeted scams.
Researchers have attributed the breach to ShinyHunters, a notorious cyber-criminal group known for data extortion. Reports indicate the group attempted to extort SoundCloud and later launched email-flooding campaigns targeting users, employees, and partners. ShinyHunters has also been linked to recent voice-phishing attacks against major platforms such as Microsoft, Google, and Okta.
SoundCloud acknowledged the extortion attempt and said it is continuing to investigate the incident with the support of third-party cybersecurity experts. The company maintains that it has found no evidence that sensitive data, including passwords or financial details, was accessed.
For users, the long-term concern lies in how widely the exposed data may spread. Once published, breached datasets often circulate for years, fueling future scams and social-engineering attacks.
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
