What Happened
In December 2025, SoundCloud suffered a major data breach when the ShinyHunters hacking group gained unauthorized access to an internal service dashboard, enabling them to map hidden email addresses to publicly available profile data for approximately 29.8 million user accounts (about 20% of its user base). The exposed information included email addresses, usernames, display names, avatars, follower/following counts, profile statistics, and in some cases users’ country of origin, but no passwords, financial data, or private content were compromised. SoundCloud detected the incident around December 15, 2025, publicly disclosed it, and faced subsequent denial-of-service attacks, extortion attempts via email flooding, and operational disruptions from firewall changes; after extortion failed, the data was leaked online in January 2026 and indexed by Have I Been Pwned on January 27. The breach prompted a class action lawsuit filed February 4, 2026, alleging negligence in cybersecurity practices.
