SoundCloud Data Breach Exposes 29.8 Million User Accounts, Says Security Expert Troy Hunt

Security researcher Troy Hunt, founder of the data breach tracking service Have I Been Pwned, reported that a SoundCloud data breach exposed information from 29.8 million user accounts.

 

In December last year, SoundCloud confirmed a security incident that caused service outages and VPN access issues. The breach involved unauthorised access to a database containing users’ email addresses and publicly visible profile information. About 20% of SoundCloud’s user base was affected, potentially tens of millions of accounts, but no passwords or financial data were compromised.

 

The breach was traced to unauthorised activity through an ancillary service dashboard. SoundCloud activated its incident response procedures and worked with third-party cyber security experts to strengthen security, including improved monitoring and threat detection, reviewing access controls, and assessing related systems.

 

After containing the breach, SoundCloud experienced multiple denial-of-service attacks that temporarily disrupted web access while mobile apps remained unaffected. The attacks were mitigated, and SoundCloud published a security notice detailing the incident, remediation efforts, and confirming there is no ongoing risk to the platform.

 

In January, the cyber crime group ShinyHunters claimed responsibility for leaking data from SoundCloud among other companies. SoundCloud reviewed the leaked material and reported no evidence that sensitive data had been taken, though attackers reportedly harassed users, employees, and partners.

 

A recent analysis from data breach repository Have I Been Pwned revealed that 29.8 million accounts were exposed. The compromised data included “30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country.

 

“The attackers later attempted to extort SoundCloud before publicly releasing the data the following month.”

 

While SoundCloud has confirmed that the data security incident exposed email addresses and other publicly visible profile information, the company has not yet disclosed how many individuals were affected.