SoundCloud Breach: 29.8M Accounts Exposed

Overview

On December 23, 2025, SoundCloud disclosed a data breach affecting approximately 29.8 million user accounts - roughly 20% of its user base. The incident was reported to Have I Been Pwned (HIBP), which confirmed the exposed data included email addresses, usernames, and full names. The breach was discovered during a routine security review, where SoundCloud identified unauthorized activity that had harvested publicly available profile data and cross-referenced it with email addresses. This is the second major breach for SoundCloud, following a 2017 incident that exposed 15 million accounts.

What Was Exposed

The breached data consists of three types:

• Email Addresses (30 million unique) - The core of the exposure, allowing attackers to link SoundCloud profiles to real-world identities.
• Usernames - Public-facing handles, often reused across platforms, enabling account discovery on other services.
• Names - First and last names, which when paired with email addresses create a significant opportunity for phishing and social engineering.

No passwords, payment card data, or phone numbers were exposed in this incident. However, the combination of email and name data is valuable for targeted attacks.

How the Breach Happened

According to SoundCloud’s disclosure, the attacker exploited the platform’s publicly available profile information - user bios, profile pictures, and follower lists - and matched it against email addresses through an unspecified data correlation technique. This did not require direct access to SoundCloud’s internal systems; rather, it leveraged the public-facing API endpoints that were designed to show user profiles. The company has since “further limited” data accessible via public profiles and notified affected users.

Account Takeover Risks

While SoundCloud credentials were not stolen, the exposed data creates a significant account takeover risk because:

• Credential reuse: Many users reuse emails and usernames across platforms. Attackers can now feed these emails into credential-stuffing tools targeting other services.
• Phishing campaigns: Real names and email addresses make phishing emails far more convincing. Attackers can craft messages referencing your SoundCloud activity to trick you into revealing passwords or clicking malicious links.
• Social engineering: Knowing your username and real name, attackers can impersonate you or SoundCloud support to gain access to other accounts.

Identity Theft Risks

The risk of full-scale identity theft (such as opening credit cards or loans) is low, as no Social Security numbers, addresses, or financial data were exposed. However, the data is highly useful for targeted identity fraud - for example, filing fake tax returns or applying for government benefits using your name and email. The real-world likelihood remains moderate, as most identity theft requires additional PII such as addresses or dates of birth.

What to Do Right Now

1. Check if you’re affected: Visit Have I Been Pwned and enter your email address. If SoundCloud appears in the results, your data was exposed.
2. Enable two-factor authentication (2FA) on your SoundCloud account and any other services that share your email. This protects against credential-stuffing attacks.
3. Watch for phishing emails: Be suspicious of any emails claiming to be from SoundCloud, especially those asking you to “verify your account” or “reset your password.” Hover over links to inspect the URL before clicking.
4. Change passwords on shared accounts: If you use the same password for SoundCloud that you use on other services (banking, email, social media), change those passwords immediately. Use a password manager to generate unique, strong passwords.
5. Monitor your accounts: Check your email for unauthorized login attempts and review your SoundCloud account activity for any changes you didn’t make.

Security Insight

This breach reveals a recurring blind spot in platform security: the assumption that “public” data is harmless. SoundCloud failed to anticipate that combining publicly visible profile data with email addresses - which they knew were private - could create a data map valuable to attackers. The incident mirrors the 2022 LinkedIn data scraping incident (which exposed 700 million profiles via API abuse) and underscores that any data accessible through a public endpoint, even if individually innocuous, is vulnerable to aggregation attacks. Companies must treat even “public” data as sensitive when it can be combined, and rate-limit API access to prevent mass scraping.

Further Reading

• All Critical Breaches
• Recent Data Breaches