Executive Summary

SoundCloud, a leading audio streaming platform, has confirmed a security breach that resulted in the theft of member data and significant disruption to VPN access. The incident, which began in mid-December 2025, was traced to unauthorized access via an ancillary service dashboard. Approximately 20% of SoundCloud users—estimated at 28 million accounts—were affected, with compromised data limited to email addresses and information already visible on public profiles. No sensitive data such as financial or password information was accessed. The breach was followed by denial-of-service attacks that temporarily disabled the platform’s web availability. In response, SoundCloud implemented configuration changes that disrupted VPN and Tor access, impacting users in regions where such tools are essential for platform access. The extortion group ShinyHunters is suspected to be behind the attack, reportedly demanding ransom after exfiltrating the database. SoundCloud has worked with third-party cybersecurity experts to contain the breach, enhance monitoring, and review access controls. The company asserts that all unauthorized access has been blocked and that there is no ongoing risk to the platform. This report provides a detailed technical analysis of the incident, assesses the quality of available evidence, and offers prioritized mitigation recommendations.

Technical Information

The breach at SoundCloud was initiated through unauthorized access to an ancillary service dashboard, which is a secondary administrative interface not directly tied to the core platform but with access to user data. This method of entry is consistent with exploitation of a web application vulnerability or abuse of valid credentials, mapped to MITRE ATT&CK technique T1190: Exploit Public-Facing Application (MITRE ATT&CK T1190). The attacker was able to access and exfiltrate a database containing user email addresses and public profile information. According to SoundCloud, no sensitive data such as financial information or passwords was accessed (BleepingComputer, 5mag, Gigazine).

The exfiltration of data aligns with MITRE ATT&CK techniques T1041: Exfiltration Over C2 Channel and T1537: Transfer Data to Cloud Account, which describe methods for transferring stolen data out of a compromised environment (MITRE ATT&CK T1041, MITRE ATT&CK T1537). The breach affected approximately 20% of the platform’s user base, which, based on public figures, equates to around 28 million accounts. The compromised data was limited to email addresses and information already visible on public profiles, reducing the risk of direct financial fraud but increasing the risk of phishing and social engineering attacks against affected users.

Following the containment of the initial breach, SoundCloud experienced two denial-of-service (DoS) attacks that temporarily disabled the platform’s web availability. These attacks are mapped to MITRE ATT&CK technique T1499: Endpoint Denial of Service (MITRE ATT&CK T1499). The DoS attacks appear to have been retaliatory, possibly intended to disrupt incident response or increase pressure on the company during the extortion phase.

The extortion phase, reportedly conducted by the ShinyHunters group, involved demands for payment in exchange for not leaking the stolen database. This activity is consistent with MITRE ATT&CK technique T1657: Extortion (MITRE ATT&CK T1657). ShinyHunters is a well-known threat actor group with a history of targeting large online platforms, including recent breaches at PornHub and Ticketmaster (Gigazine). Their typical tactics include exploiting web application vulnerabilities, stealing large datasets, and extorting victims by threatening to release the data publicly.

As part of its incident response, SoundCloud implemented configuration changes that disrupted VPN and Tor access to the platform, resulting in 403 "forbidden" errors for users attempting to connect via these methods. This measure was intended to block further unauthorized access but had the unintended consequence of preventing legitimate users—particularly those in countries where SoundCloud is blocked and VPNs are essential for access—from reaching the platform. At the time of reporting, no timeline has been provided for the restoration of VPN access (BleepingComputer, Gigazine).

No specific malware, exploit kits, or command-and-control infrastructure have been publicly identified in connection with this incident. The attack appears to have relied on exploiting a web application or abusing valid credentials, rather than deploying custom malware. This assessment is based on direct statements from SoundCloud and the absence of technical indicators in public reporting. The confidence level for this assessment is high.

Attribution to ShinyHunters is based on a tip received by BleepingComputer and the group’s known tactics, techniques, and procedures (TTPs). While the pattern of activity is consistent with previous ShinyHunters operations, there is no direct technical evidence (such as malware samples or infrastructure links) publicly available to confirm their involvement. The confidence level for this attribution is medium.

The sector-specific impact of the breach is significant, particularly for users in regions where access to SoundCloud is restricted and VPNs are required. The disruption of VPN and Tor access has created additional barriers for these users, highlighting the collateral impact of defensive measures taken during incident response.

In summary, the SoundCloud breach was executed via exploitation of a public-facing application, resulting in the exfiltration of user email addresses and public profile data, followed by denial-of-service attacks and extortion attempts. The TTPs align with MITRE ATT&CK techniques T1190, T1041/T1537, T1499, and T1657. Attribution to ShinyHunters is supported by circumstantial evidence and historical pattern analysis but lacks direct technical artifacts.

Affected Versions & Timeline

The breach affected approximately 20% of SoundCloud users, which, based on publicly reported figures, is estimated at 28 million accounts (BleepingComputer, Gigazine). The compromised data included email addresses and information already visible on public profiles. No sensitive data such as financial or password information was accessed.

The timeline of verified events is as follows: In mid-December 2025, users began reporting issues with VPN and Tor access, as well as intermittent outages. On December 15, 2025, SoundCloud confirmed the breach, issued a public statement, and detailed its incident response actions. Between December 15 and 16, 2025, multiple sources confirmed the breach, the types of data compromised, and the ongoing disruption to VPN access. The denial-of-service attacks occurred after the initial breach was contained, temporarily disabling the platform’s web availability (5mag).

Threat Activity

The threat activity in this incident began with unauthorized access to an ancillary service dashboard, likely through exploitation of a web application vulnerability or abuse of valid credentials. The attacker exfiltrated a database containing user email addresses and public profile information. The breach was limited in scope, with no access to sensitive data such as financial or password information.

Following the containment of the breach, the attacker launched two denial-of-service attacks that temporarily disabled the platform’s web availability. These attacks are consistent with attempts to disrupt incident response or increase pressure during the extortion phase. The extortion group ShinyHunters is suspected to be behind the attack, reportedly demanding ransom in exchange for not leaking the stolen database. ShinyHunters is known for targeting large online platforms and using similar tactics in previous incidents.

The incident response by SoundCloud included configuration changes that disrupted VPN and Tor access, resulting in 403 errors for users attempting to connect via these methods. This measure was intended to block further unauthorized access but had the unintended consequence of preventing legitimate users from accessing the platform, particularly in regions where VPNs are essential.

No specific malware, exploit kits, or command-and-control infrastructure have been publicly identified in connection with this incident. The attack appears to have relied on exploiting a web application or abusing valid credentials, rather than deploying custom malware.

Attribution to ShinyHunters is based on circumstantial evidence, including a tip received by BleepingComputer and the group’s known tactics, techniques, and procedures. While the pattern of activity is consistent with previous ShinyHunters operations, there is no direct technical evidence publicly available to confirm their involvement.

Mitigation & Workarounds

Mitigation and workarounds should be prioritized by severity as follows:

Critical: Organizations operating public-facing dashboards or administrative interfaces should immediately review and harden access controls. This includes enforcing strong authentication (such as multi-factor authentication), restricting access by IP address where possible, and conducting regular vulnerability assessments of all externally accessible services. Any ancillary or secondary dashboards should be inventoried and subjected to the same security controls as primary systems.

High: All organizations should review their incident response plans to ensure rapid detection and containment of unauthorized access. Enhanced monitoring and logging should be implemented for all administrative interfaces and sensitive data stores. Regular audits of user permissions and access logs are essential to detect anomalous activity.

Medium: Users whose email addresses and public profile information may have been compromised should be notified and advised to be vigilant for phishing and social engineering attempts. Organizations should provide clear guidance on how to identify and report suspicious emails or account activity.

Medium: Organizations should assess the impact of defensive measures, such as blocking VPN and Tor access, on legitimate users. Where possible, alternative secure access methods should be provided for users in regions where VPNs are essential for platform access.

Low: Ongoing collaboration with third-party cybersecurity experts is recommended to review and enhance security controls, conduct post-incident assessments, and ensure that lessons learned are incorporated into future security strategies.

References

https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/

https://5mag.net/news/soundcloud-breach-vpn-block-dos-attack-data-theft/

https://gigazine.net/gsc_news/en/20251216-soundcloud-data-breach/

https://attack.mitre.org/techniques/T1190/

https://attack.mitre.org/techniques/T1041/

https://attack.mitre.org/techniques/T1499/

https://attack.mitre.org/techniques/T1657/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and service providers. Our platform enables continuous monitoring of vendor security posture, supports rapid incident response coordination, and facilitates compliance with industry standards. For questions or further information, please contact us at ops@rescana.com.