SoundCloud breach exposes 29.8M users' emails, usernames to ShinyHunters gang

Once breached data enters the wild, it rarely disappears.
SoundCloud's exposed dataset will circulate across criminal forums and marketplaces for years, providing persistent targeting resources.

In early 2026, SoundCloud — a platform carrying the creative output of tens of millions of artists — found itself the latest landmark in the long, unfinished story of digital vulnerability, as hackers exposed the personal data of nearly 30 million users. The extortion group ShinyHunters claimed responsibility, turning the breach into a campaign of harassment when the platform declined to comply with their demands. Though passwords and financial records were spared, the pairing of email addresses with public profile details opens a quieter but persistent door to manipulation and fraud. This event reminds us that in the architecture of modern life, even the seemingly ordinary data we share carries weight that outlasts the moment of its exposure.

  • Nearly 30 million SoundCloud users had their emails, usernames, and profile details stolen when hackers breached the platform's internal dashboards in early 2026.
  • The extortion gang ShinyHunters escalated beyond theft — flooding inboxes of users, employees, and partners with harassment campaigns after SoundCloud refused to pay.
  • Though no passwords or financial data were taken, the combination of private emails and public profiles gives criminals precisely what they need to craft convincing, personalized scams.
  • SoundCloud has confirmed the breach and extortion attempt but offered little transparency about the full scope of the intrusion or the state of its internal security controls.
  • The stolen dataset is now circulating across dark web forums and criminal marketplaces, where it will remain a live resource for phishing, account takeover, and identity fraud for years to come.

SoundCloud, home to over 400 million tracks and 40 million creators, confirmed in early 2026 that hackers had breached its internal systems and exposed personal data belonging to approximately 29.8 million users. The intrusion surfaced when users began hitting access errors on their accounts, prompting the company's security team to detect unauthorized activity on an internal service dashboard. By then, the damage was already done.

The exposed data included email addresses, usernames, display names, profile photos, follower counts, and in some cases geographic locations. Passwords and financial information were not compromised — a point SoundCloud was quick to emphasize. But the combination of private contact details and public profile information is more dangerous than it appears: it gives scammers the raw material to craft targeted, believable phishing messages that feel personal and legitimate to the people who receive them.

Security researchers attributed the breach to ShinyHunters, a prolific extortion gang previously linked to attacks on Okta, Microsoft, and Google. The group attempted to extort SoundCloud after stealing the data, and when the company refused, they launched email-flooding harassment campaigns against users and employees alike. SoundCloud confirmed the extortion attempt but has said little else, leaving users with limited information about the full scope of what was accessed.

The long-term risk is layered. Phishing and impersonation are the immediate threats, but attackers also use exposed emails to test passwords across other platforms and to build detailed profiles by cross-referencing data from multiple breaches. Experts recommend changing SoundCloud passwords, enabling two-factor authentication across all connected services, and monitoring email accounts closely for unexpected login alerts or password reset requests.

The SoundCloud breach is a reminder that data which appears harmless in isolation rarely stays that way. Once released into criminal networks, it circulates for years — a persistent resource for fraud long after the headlines fade. In an era of escalating breaches, the most reliable protection remains the same: strong, unique credentials, layered authentication, and a clear-eyed awareness of what we share and with whom.

SoundCloud, the sprawling audio platform that hosts more than 400 million tracks from over 40 million creators, discovered in early 2026 that hackers had breached its internal systems and exposed the personal information of approximately 29.8 million users. The breach came to light when users began encountering 403 Forbidden errors while trying to access their accounts, particularly those connecting through VPNs. The company's security team detected unauthorized activity targeting an internal service dashboard and initiated its incident response process, but the damage was already done.

The exposed data included email addresses, usernames, display names, profile photos, follower and following counts, and in some cases geographic locations. Notably, passwords and financial information were not compromised—a fact SoundCloud emphasized in its initial disclosures. That distinction, however, masks a more insidious threat. When email addresses are linked to public profiles, they become powerful tools for social engineering. Scammers can craft convincing phishing messages, impersonate creators or the platform itself, and use follower counts and usernames to make their pitches feel personal and legitimate. Once trust is established, attackers typically push malicious links, malware, or fake login pages designed to capture credentials or install software that grants access to broader accounts.

Security researchers and sources speaking to industry publications traced the breach to ShinyHunters, a well-known extortion gang with a track record of targeting high-profile companies. The group did not simply steal the data and disappear. Instead, they attempted to extort SoundCloud following the breach, and when the company did not comply, they launched email-flooding campaigns designed to harass users, employees, and partners. ShinyHunters has also claimed responsibility for recent voice phishing attacks targeting single sign-on systems at Okta, Microsoft, and Google—attacks aimed at stealing corporate data and forcing payments.

SoundCloud confirmed the extortion attempt but has remained largely silent on other details. The company has not disclosed the full scope of the breach, the state of its internal controls, or whether additional sensitive data may have been accessed. A company representative stated only that the security team, working with third-party cybersecurity experts, was actively reviewing the claims and published data. That measured response does little to address the long-term risk facing users: once breached data enters the wild, it rarely disappears. The dataset will circulate across forums, marketplaces, and scam networks for years, providing a persistent resource for criminals seeking to target SoundCloud users.

For users, the immediate threat is phishing and impersonation. Scammers move quickly after breaches, flooding inboxes with messages referencing account warnings, copyright issues, or music uploads. The secondary threat is account takeover. Attackers often reuse exposed email addresses to test logins across streaming services, social media, and shopping platforms, looking for weak or reused passwords. The tertiary threat is data aggregation: criminals cross-reference breached emails with information available on the dark web and through data broker sites, building detailed profiles that enable increasingly sophisticated targeted scams.

Defense requires multiple layers. Users should change their SoundCloud passwords regardless of whether passwords were exposed in this breach, using unique credentials not deployed elsewhere. Two-factor authentication should be enabled on SoundCloud and any connected services. Email accounts—which serve as the master key to all other accounts—deserve particular attention: strong, unique passwords and two-factor authentication are non-negotiable. Users should monitor their inboxes for unexpected password reset emails or login alerts from unfamiliar locations. Checking whether email addresses have appeared in past breaches, using breach-scanning tools available through password managers, can reveal whether credentials have been compromised elsewhere and need immediate rotation.

The SoundCloud breach illustrates a broader shift in how data breaches unfold and persist. The information exposed may appear benign compared to breaches involving passwords or credit card numbers, but that appearance is deceptive. Public profile data paired with private contact details creates real exposure, especially when the data circulates among criminal networks for years. As breaches continue to escalate in frequency and scope, staying alert, limiting the data shared online, and maintaining strong security habits remain the most reliable defenses available to ordinary users.

We are aware that a threat actor group has published data online allegedly taken from our organization. Our security team—supported by leading third-party cybersecurity experts—is actively reviewing the claim and published data.
— SoundCloud representative
The Hearth Conversation Another angle on the story
Inventor

Why does this breach matter if passwords weren't stolen? Doesn't that make it less serious?

Model

It's actually the opposite. An email address tied to a real profile is a blueprint for social engineering. A scammer can craft a message that feels personal, reference your follower count, maybe mention a copyright claim. You're more likely to click. That's how account takeovers begin.

Inventor

So the real risk is phishing, not immediate account theft?

Model

Phishing is the entry point. Once they have your password, they can reset passwords on your email, which unlocks everything else. Your email is the master key.

Inventor

How long does this data stay useful to criminals?

Model

Years. Once it's published on forums and marketplaces, it circulates indefinitely. Attackers use it to cross-reference with other breaches, build profiles, test logins across platforms. The damage doesn't end when the headline fades.

Inventor

Why did ShinyHunters go after SoundCloud specifically?

Model

Scale. 29.8 million users is leverage. They attempted extortion, and when that didn't work, they harassed users and employees with email floods. It's pressure from multiple angles.

Inventor

What's the most practical thing a SoundCloud user should do right now?

Model

Change your password to something unique, enable two-factor authentication, and lock down your email account. Your email is the real target. Everything else flows from there.

Contact Us FAQ