SongTrivia2 Breach Exposes 291K User Passwords

Overview

On April 14, 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published on a public hacking forum. The incident exposed 291,739 unique user accounts, including email addresses, passwords, usernances, and names. The breach was reported to Have I Been Pwned (HIBP), allowing users to check if their data was compromised.

What Was Exposed

The leaked dataset includes:

• Email Addresses - 291,739 unique addresses, sourced from either Google OAuth logins or accounts created directly on the site.
• Passwords - Stored as bcrypt hashes for accounts created on the platform. Google OAuth users are not affected by password exposure.
• Usernames - Linked to each account.
• Names - Associated with user profiles.

The presence of bcrypt hashes is notable - bcrypt is a strong, salted hashing algorithm that makes cracking individual passwords computationally expensive. However, weak or reused passwords remain vulnerable to offline brute-force attacks.

How the Breach Happened

While the exact attack vector has not been disclosed, the data’s appearance on a public hacking forum suggests either a direct database compromise or a vulnerability in SongTrivia2’s backend systems. Breaches published on forums often result from SQL injection, misconfigured servers, or leaked credentials. The fact that bcrypt was used for password storage indicates some security awareness, but this breach still exposed sensitive identifiers that can fuel targeted phishing campaigns.

How to Check If You’re Affected

Users can verify if their account was compromised by visiting Have I Been Pwned and searching for their email address. The breach is listed as SongTrivia2 in HIBP’s database. If your email appears, assume all associated data - including your username and name - is now public.

What to Do Right Now

1. Change your SongTrivia2 password immediately if you used a direct account (not Google OAuth). Choose a strong, unique password generated by a password manager.
2. Enable two-factor authentication (2FA) on any account that supports it, especially if you reused the same password elsewhere.
3. Watch for phishing emails targeting SongTrivia2 users. Attackers may use your exposed name and username to craft convincing messages.
4. Check for credential stuffing - if you reused your SongTrivia2 password on other sites (including email), change those passwords immediately.
5. Consider freezing your credit if your full name and email are used in identity theft attempts - though in this breach, no financial data was exposed, the combination of name, email, and username is valuable for social engineering.

Account Takeover Risks

The primary risk from this breach is account takeover. With exposed email addresses and usernames, attackers can attempt credential stuffing - using the same password across multiple services. The bcrypt hashes, while strong, can still be cracked for weak passwords (e.g., “password123”). If you reused your SongTrivia2 password on any other account, assume those accounts are compromised and change them now.

Security Insight

SongTrivia2’s use of bcrypt hashes for direct-account passwords is a minor positive, but the breach itself reveals a significant security lapse - the entire user database, including Google OAuth tokens and sensitive identifiers, was dumped on a public forum. This suggests a failure in access controls, monitoring, or incident response. Compared to similar breaches in the gaming and trivia sector (e.g., QuizUp, Sporcle), SongTrivia2 missed the opportunity to implement modern protections like breach notification within 72 hours or mandatory 2FA. The lesson is clear: even a strong hashing algorithm cannot compensate for weak perimeter defenses or delayed disclosure. For broader context on credential breaches, see our cybersecurity news coverage.

Further Reading

• All Critical Breaches
• Recent Data Breaches