SoundCloud, the audio streaming and distribution platform hosting over 400 million tracks from 40 million creators worldwide, has confirmed a data breach affecting approximately 29.8 million user accounts; roughly 20% of its total user base. The breach, which came to light in December 2025, was attributed to ShinyHunters, the prolific extortion group responsible for a string of high-profile platform compromises. ShinyHunters attempted to extort SoundCloud before leaking the stolen data publicly. The breach was subsequently indexed by Have I Been Pwned, providing independent corroboration of the incident's scope.

What Happened

Unauthorized activity on SoundCloud's platform was detected and confirmed in December 2025. Users began reporting anomalies, including widespread 403 "Forbidden" errors when accessing the site via VPN, which surfaced the breach before formal disclosure. SoundCloud activated its incident response procedures and acknowledged that a threat actor had accessed "certain limited data."

ShinyHunters claimed responsibility and followed their established playbook: exfiltrate data, demand payment, then leak when extortion fails. The stolen dataset was ultimately published, with Have I Been Pwned indexing the records and notifying affected users through its breach notification service.

SoundCloud's public statements characterized the breach as limited in scope, emphasizing that no financial data or passwords were compromised. However, the scale, 29.8 million records, and the involvement of a sophisticated extortion group suggest the incident was neither minor nor contained to low-sensitivity data.

What Was Taken

According to Have I Been Pwned's analysis of the leaked dataset, the following categories of user data were exposed across 29.8 million accounts:

• Email addresses
• Full names and usernames
• Geographic locations
• Profile statistics (follower counts, track plays, engagement metrics)
• Publicly visible profile details

SoundCloud confirmed that passwords and financial information were not included in the breach. However, the combination of email addresses, real names, geographic locations, and platform activity profiles creates a high-quality dataset for targeted phishing, social engineering, and credential stuffing attacks; particularly against users who reuse credentials across platforms.

Why It Matters

SoundCloud's user base skews heavily toward musicians, audio creators, and music industry professionals; a population with disproportionate access to label systems, publishing platforms, distribution services, and financial accounts tied to their creative work. A breach targeting this demographic carries different downstream risk than a generic consumer platform compromise.

ShinyHunters specifically is not an opportunistic crew. The group has demonstrated sustained capability and intent across dozens of major platform breaches (Ticketmaster, Santander, AT&T, and now SoundCloud within a concentrated campaign period. Their modus operandi) bulk exfiltration followed by extortion, then public release; means the data is now broadly circulating in criminal markets regardless of whether any ransom was paid.

The VPN-triggered 403 errors that first surfaced the breach deserve attention: they suggest anomalous access controls were in place, possibly in response to detected enumeration activity, but came too late to prevent the exfiltration. This is a pattern seen repeatedly in ShinyHunters campaigns; detection happens after the data is already out.

The group's concurrent targeting of SSO providers (Okta, Microsoft, Google) through voice phishing campaigns adds a compounding threat: SoundCloud user emails extracted in this breach can be cross-referenced with corporate identity providers to identify high-value SSO account targets for follow-on attacks.

The Attack Technique

The specific initial access vector for the SoundCloud breach has not been publicly confirmed. ShinyHunters has historically used several entry methods across their campaign portfolio:

• Credential stuffing against admin or internal portals using credentials obtained from prior breaches
• Social engineering and vishing targeting identity provider (Okta, Entra ID) accounts to obtain SSO tokens granting access to corporate SaaS environments
• Third-party vendor compromise: accessing platform data through a trusted integration or cloud storage misconfiguration rather than breaching the primary platform directly

The combination of SoundCloud's acknowledgment of "unauthorized access to certain limited data" and the profile-level granularity of the stolen records (including engagement statistics) suggests the attacker had authenticated read access to user database records or a data export function, rather than exploiting an unauthenticated vulnerability.

ShinyHunters' concurrent vishing campaign against Okta and Microsoft SSO accounts, reported in the same timeframe, raises the possibility that SoundCloud's internal systems were accessed via a compromised employee SSO credential rather than a direct application exploit.

What Organizations Should Do

1. Enforce phishing-resistant MFA on all SSO and identity provider accounts. ShinyHunters' vishing campaigns specifically target the human layer of SSO authentication. FIDO2/passkey-based MFA defeats vishing because there is no OTP or approval prompt to manipulate. Organizations still relying on push-based MFA or SMS OTP should treat this as a forcing function to upgrade.

2. Monitor for credential stuffing against your authentication endpoints. The SoundCloud user dataset, 29.8 million email/profile pairs, is now circulating. Any platform that shares a significant user population with SoundCloud should expect elevated credential stuffing volume. Implement rate limiting, bot detection, and anomalous login alerting on authentication flows.

3. Brief creative and media industry clients on targeted phishing risk. Musicians, podcasters, and audio creators with SoundCloud accounts are now confirmed targets with known email addresses and geographic locations. Security teams serving entertainment, publishing, or media clients should proactively notify them and recommend credential hygiene.

4. Audit data export and bulk read APIs for access controls and rate limits. Breaches of this profile, where engagement statistics and profile metadata are included, often originate from internal APIs or export endpoints that lack the same scrutiny as public authentication surfaces. Review which authenticated endpoints can return user records at scale and ensure they are rate-limited, logged, and require elevated authorization.

5. Cross-reference your email domain exposure against the SoundCloud dataset via Have I Been Pwned's domain search. HIBP offers domain-level breach monitoring for organizational email addresses. If your employees or customers have SoundCloud accounts under corporate email addresses, you can identify exposed accounts and prompt proactive password resets and MFA enrollment.

6. Watch for ShinyHunters-linked vishing attempts targeting your IT helpdesk and identity providers. The group has demonstrated the capability to impersonate employees convincingly in calls to Okta support and corporate IT helpdesks, requesting MFA resets or token provisioning. Brief helpdesk staff on strict identity verification procedures before any credential or MFA reset is processed; voice alone is not sufficient verification.

Sources

• SoundCloud Breach: 29.8 Million Accounts Impacted; togitu.org