Hackers have been exposed Personal and contact information associated with SoundCloud accounts, data breach notification service Have I Been Pwned reported the impact to approximately 29.8 million users. The breach hit one of the world’s largest audio platforms, causing many users to be locked out and receive error messages before the company confirmed the incident.

Founded in 2007, SoundCloud has grown into an artist-first service, hosting more than 400 million tracks from more than 40 million creators. The scale makes this incident particularly concerning. SoundCloud said it detected unauthorized activity related to an internal service dashboard and initiated an incident response process. At the time, users reported 403 Forbidden errors, especially when connecting via VPN.

Sign up for my free CyberGuy reportget My best tech tipsemergency security alerts and exclusive offers delivered right to your inbox. Plus, when you join my site, you’ll get immediate, free access to my Ultimate Scam Survival Guide CYBERGUY.COM communication

149 million passwords exposed in massive credential breach

After a user reported an access error, SoundCloud confirmed the unauthorized activity, triggering an internal incident response. (iStock)

What data was exposed in the SoundCloud breach

SoundCloud initially said the attackers accessed limited data and did not touch passwords or financial information. The company said the exposed information matched what was publicly displayed on the user’s profile.

Later revelations painted a bigger picture.

According to Have I Been Pwned, the attackers obtained data from approximately 29.8 million accounts. This data includes:

• email address
• Username and display name
• Profile photo and avatar
• Follower and Following Count
• In some cases, geographic location

Although no passwords were stolen, Link email to public profile pose a real risk. This combination fuels phishing, impersonation, and targeted scams.

Who is behind this attack

Security researchers linked this vulnerability to the well-known ShinyHunters. extortion gang. Sources told BleepingComputer that the group was trying to blackmail SoundCloud after the data breach. SoundCloud later confirmed the claims. The company said in a January update that attackers made requests and launched email flood campaigns to harass users, employees and partners. ShinyHunters also claimed responsibility for recent voice phishing attacks targeting the single sign-on systems of Okta, Microsoft and Google. These attacks target enterprise SaaS accounts to steal data and hold them to ransom.

Why this breach matters even without a password

At first glance, this may not sound as serious as a compromised password or credit card. This assumption can be dangerous. Email addresses tied to real profiles enable scammers to craft convincing messages. They can impersonate SoundCloud, brands, or even other creators. With follower count and username, messages appear personalized and credible. Once attackers gain trust, they can push links, malware, or fake login pages. This is often how larger account acquisitions begin.

What SoundCloud users should expect next

SoundCloud has not yet said if more details will be released. The company did confirm the attack and extortion attempt but has not responded to follow-up questions about the scope or internal controls. The long-term risk for users comes from how widely this data set spreads. Once published, exposed data rarely disappears. It has been circulating in forums, marketplaces and scam networks for years.

We reached out to SoundCloud for comment, and a representative told us,

“We are aware that a threat group has posted data online that it purportedly obtained from our organization. Please note that our security team, with support from leading third-party cybersecurity experts, is actively reviewing the statement and the released data.”

SoundCloud said it found no evidence that sensitive data such as passwords or financial information was accessed.

How to stay safe after a SoundCloud breach

If you have or have had a SoundCloud account, now is the time to take action. Even limited data exposure can lead to targeted scams if you ignore it.

1) Be wary of phishing and impersonation emails

Scammers often act quickly after a breach. Watch your inbox for messages mentioning SoundCloud, music uploads, copyright issues, or account warnings. Don’t click on links or open attachments in unexpected emails. If in doubt, go directly to the official website instead of using the email link. Powerful antivirus software Another layer of protection is added here.

Email and public profile data of nearly 29.8 million accounts was collected, raising concerns about phishing and impersonation. (Cyberguy.com)

The best way to protect yourself from malicious links that install malware and potentially access your private information is to install strong antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the winners of the best antivirus protection of 2026 for your Windows, Mac, Android, and iOS devices: Cyberguy.com

2) Change your SoundCloud password anyway

Passwords are not exposed, but it is still wise to change them. Create a new password that you don’t use elsewhere. If remembering your passwords feels impossible, consider using a password manager to generate and securely store strong passwords. This reduces the risk of cross-platform reuse.

Next, check to see if your email has been exposed in a past breach. Our #1 Password Manager (See Cyberguy.com) pick includes a built-in vulnerability scanner that checks if your email address or password appears in a known leak. If you find a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026: Cyberguy.com

3) Turn on two-factor authentication

Two-factor authentication (2FA) adds a critical hurdle if someone tries to access your account. Even if an attacker later guesses or obtains the password, they still require a second verification step. Enable 2FA anywhere SoundCloud or connected services offer 2FA.

4) Lock your email account

After most breaches, your email is the real target. If someone gains access, they can reset their password elsewhere. Use a strong and unique password for your email account and enable two-factor authentication. Check the recovery email and phone number to make sure they are still yours.

Data breach exposes information of 400,000 bank customers

5) Reduce your online data footprint

Attackers used leaked emails to search data broker websites and social platforms for more details. The less data available, the harder it is for you to target. Consider using a data removal service to limit how often your emails and personal details appear online.

While no service can guarantee complete removal of your data from the internet, data removal services are certainly a smart choice. They’re not cheap, and neither is your privacy. These services do all the work for you by proactively monitoring and systematically removing your personal information from hundreds of websites. This gives me peace of mind and has proven to be the most effective way to remove personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing breached data with information they might find on the dark web, making it harder for them to target you.

Check out my picks of data removal services and find out if your personal information has been exposed online by visiting a free scan Cyberguy.com

Scan for free to find out if your personal information has been exposed online: Cyberguy.com

6) Check your other accounts for suspicious activity

Attackers often reuse exposed email addresses to test logins to streaming services, social media, and shopping accounts. Watch for password reset emails you didn’t request or login alerts from unfamiliar locations. If something doesn’t seem right, take action quickly.

Security researchers linked the breach to the ShinyHunters ransomware group, which later tried to pressure SoundCloud into paying. (Thomas Trutcher/Photothek via Getty Images)

Kurt’s key takeaways

Data breaches are no longer limited to one application or one moment in time. Even if an attacker leaks seemingly innocuous information, the consequences can last much longer. The SoundCloud breach shows how the combination of public profile data and private contact details can create real exposure. As breaches continue to escalate, remaining vigilant, limiting data sharing, and using strong security habits remain your best defenses.

Have you checked to see which old or forgotten accounts still expose your email and may now be putting you at risk? Please write to us and let us know what you think Cyberguy.com

Click here to download the Fox News app

Sign up for my free CyberGuy report Get my best tech tips, emergency security alerts, and exclusive offers delivered right to your inbox. Plus, when you join my site, you’ll get immediate, free access to my Ultimate Scam Survival Guide CYBERGUY.COM communication

Copyright 2026 CyberGuy.com. all rights reserved.