Executive Summary

In December 2025, SoundCloud experienced a significant data breach impacting approximately 29.8 million user accounts, representing about 20% of its user base. The breach was the result of unauthorized access to an internal service dashboard, which allowed attackers to map hidden email addresses to publicly available profile data. The compromised information included email addresses, usernames, display names, avatars, follower and following counts, profile statistics, and, in some cases, users’ country of origin. No passwords, financial data, or private user content were exposed. The incident was attributed to the ShinyHunters extortion group, who attempted to extort SoundCloud and subsequently leaked the data online in January 2026. The breach led to operational disruptions, including denial-of-service attacks and VPN access issues due to post-breach firewall changes. The breach was officially disclosed by SoundCloud and indexed by Have I Been Pwned on January 27, 2026. All claims in this summary are directly supported by the referenced sources.

Technical Information

The SoundCloud data breach was executed through unauthorized access to an internal service dashboard, which is a privileged administrative interface not intended for public use. Attackers exploited this dashboard to correlate email addresses, which are typically hidden from public view, with information from publicly accessible user profiles. This enabled the mapping and subsequent exfiltration of data for 29.8 million accounts. The breach did not involve the deployment of malware or exploitation of end-user devices; rather, it was a credential-based attack targeting internal infrastructure.

The compromised data set included email addresses, usernames, display names, avatars, follower and following counts, profile statistics, and, in some cases, the user’s country of origin. Notably, no sensitive data such as passwords, financial information, or private user content was accessed or exfiltrated. The attackers, identified as the ShinyHunters group, are known for targeting cloud services and developer infrastructure, often leveraging stolen or phished credentials, including OAuth keys, to gain unauthorized access.

Following the breach, SoundCloud experienced a series of denial-of-service attacks, which temporarily disrupted platform access. Additionally, changes to the Web Application Firewall (WAF) during the post-breach security overhaul inadvertently blocked legitimate traffic from VPN and proxy services, causing further user access issues. The attackers attempted to extort SoundCloud by making demands and deploying email flooding tactics to harass users, employees, and partners. When extortion efforts failed, the stolen data was leaked online and subsequently indexed by Have I Been Pwned.

The attack aligns with several tactics and techniques from the MITRE ATT&CK framework, including Valid Accounts (T1078), Exploitation of Remote Services (T1210), Steal Application Access Tokens (T1528), Cloud Infrastructure Discovery (T1580), Data from Cloud Storage Object (T1530), Exfiltration Over Web Service (T1567), and Denial-of-Service (T1499). The evidence supporting these mappings includes direct statements from SoundCloud, technical analysis from independent security researchers, and historical pattern matching with previous ShinyHunters operations.

The breach had sector-specific implications for the music and audio streaming industry, particularly for independent musicians, podcasters, and DJs who rely on SoundCloud for audience engagement. The exposure of email addresses and profile data increases the risk of targeted phishing and social engineering attacks against affected users. Approximately 67% of the exposed email addresses were already present in the Have I Been Pwned database, indicating that many users had been affected by previous breaches and may be at heightened risk of credential stuffing or other follow-on attacks.

SoundCloud’s incident response included isolating affected systems, engaging external cybersecurity experts, and confirming that no sensitive data was compromised. The company’s transparency in disclosure and prompt containment of the breach are notable, although the operational disruptions and subsequent data leak underscore the persistent risks associated with credential-based attacks on cloud platforms.

Affected Versions & Timeline

The breach affected approximately 29.8 million SoundCloud user accounts, representing about 20% of the platform’s user base at the time. The incident timeline is as follows: In December 2025, SoundCloud detected unauthorized activity and confirmed the breach. On December 15, 2025, the company publicly acknowledged the incident after users reported access issues and 403 "Forbidden" errors, particularly when connecting via VPN. In January 2026, the attackers attempted to extort SoundCloud and, after failing to secure payment, leaked the data online. The breach was officially indexed by Have I Been Pwned on January 27, 2026, allowing users to check if their email addresses were involved. No specific software versions or platform releases were identified as uniquely vulnerable; the attack targeted internal administrative infrastructure rather than a particular application version.

Threat Activity

The threat activity associated with this breach is attributed to the ShinyHunters extortion group, a well-known actor in the cybercriminal ecosystem. The group is recognized for targeting cloud services, SaaS platforms, and developer infrastructure, often using stolen or phished credentials to gain access to internal systems. In this incident, ShinyHunters exploited an internal SoundCloud service dashboard to map email addresses to public profile data, enabling the exfiltration of a large dataset without the need for malware or direct exploitation of end-user devices.

After gaining access, the attackers attempted to extort SoundCloud by making demands and using email flooding tactics to harass users, employees, and partners. When these efforts failed, the group leaked the stolen data online, where it was subsequently copied and republished on hacker forums. The attack was further characterized by denial-of-service activity, which temporarily disrupted platform access and compounded the operational impact of the breach.

The tactics, techniques, and procedures (TTPs) observed in this incident are consistent with previous ShinyHunters operations, including credential-based access, cloud infrastructure exploitation, extortion, and public data leaks. The group’s historical targeting of cloud and SaaS platforms, as well as its rapid monetization of stolen data via underground forums, supports the high-confidence attribution in this case.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations should immediately review and restrict access to internal administrative dashboards and ancillary service interfaces. Implement strong authentication mechanisms, such as multi-factor authentication (MFA), for all privileged accounts and internal tools. Regularly audit access logs and monitor for anomalous activity, particularly targeting cloud infrastructure and administrative interfaces.

High: Conduct a comprehensive review of credential management practices, including the rotation of OAuth keys, API tokens, and other sensitive credentials. Ensure that all credentials are stored securely and are not accessible from public repositories or developer infrastructure. Implement strict network segmentation to limit access to sensitive internal systems.

Medium: Review and update Web Application Firewall (WAF) configurations to prevent inadvertent blocking of legitimate user traffic, especially from VPN and proxy services. Test firewall changes in a controlled environment before deploying to production to minimize operational disruptions.

Low: Educate users about the risks of phishing and social engineering attacks, particularly in the aftermath of a data breach involving email address exposure. Encourage users to enable two-factor authentication (2FA) where available and to avoid reusing passwords across multiple platforms.

All organizations should maintain an incident response plan that includes procedures for rapid containment, external expert engagement, and transparent communication with affected users. Regular tabletop exercises and red team assessments can help identify gaps in existing controls and improve overall security posture.

References

https://haveibeenpwned.com/Breach/SoundCloud https://www.bleepingcomputer.com/news/security/have-i-been-pwned-soundcloud-data-breach-impacts-298-million-accounts/ https://cyberinsider.com/soundcloud-breach-added-to-hibp-29-8-million-accounts-exposed/ https://www.intel471.com/blog/shinyhunters-data-breach-mitre-attack

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their external vendors and partners. Our platform enables continuous monitoring of vendor security posture, automated risk assessments, and actionable insights to support incident response and risk mitigation efforts. For questions about this report or to discuss how our capabilities can support your organization’s risk management strategy, contact us at ops@rescana.com.