Data breach notification service Have I Been Pwned reported that around 29.8 million users experienced a breach of their SoundCloud accounts, with personal and contact information being exposed. This incident affected one of the largest audio platforms globally, and many users found themselves unable to access their accounts, receiving various error messages before confirmation of the breach was provided.
Established in 2007, SoundCloud has evolved into an influential service for artists, hosting over 400 million tracks from more than 40 million creators. The sheer scale of this platform makes the situation alarming. SoundCloud discovered fraudulent activities linked to its internal service dashboard and has initiated a process to address the incident. During this time, users reported encountering 403 Forbidden errors, predominantly when using a VPN.
What data was leaked in the SoundCloud breach?
Initially, SoundCloud stated that the compromised data was limited and did not involve passwords or financial details. They mentioned that the exposed information matched what users had made publicly available in their profiles.
However, further disclosures painted a more extensive picture. According to Have I Been Pwned, the attackers accessed data from approximately 29.8 million accounts, which included:
- email addresses
- usernames and display names
- profile photos and avatars
- follower counts
- geographic locations (in some cases)
While passwords were not part of the breach, linking an email address to a public profile creates vulnerabilities, as this combination can facilitate phishing, identity theft, and targeted scams.
Who is behind the attack?
Security experts have connected the breach to the ShinyHunters extortion group. Reports indicate that this group attempted to blackmail SoundCloud following the breach, a claim which SoundCloud later acknowledged. In a January update, the company noted that attackers began a campaign of harassment aimed at users, employees, and partners through requests and email flooding. ShinyHunters has also been linked to voice phishing attacks against other companies like Okta, Microsoft, and Google, aiming for data theft and extortion involving SaaS accounts.
Why this breach matters even without a password
At first glance, the breach might not seem as critical as one involving passwords or credit card information, but such assumptions can be misleading. Having an email associated with a genuine profile offers scammers an opportunity to create convincing messages. They could impersonate brands or creators, using details like follower counts and usernames to make communications appear credible. Once scammers gain trust, they commonly attempt to send links, malware, or fake login pages, potentially leading to major account takeovers.
What SoundCloud users should expect next
SoundCloud has not clarified whether more details will be disclosed. While the company acknowledged the attack and the attempt at extortion, it has not provided insights regarding the depth of the breach or its internal safeguards. Users now face a long-term risk tied to the widespread availability of the exposed dataset. Once data is made public, it rarely vanishes, and this information has been circulating among forums and scam networks for years.
A representative from SoundCloud stated, “We are aware that a threat actor group has published data online that they allegedly obtained from our organization. Please know that our security team, with support from leading third-party cybersecurity experts, is actively reviewing this claim and the published data.”
The company insisted that there was no evidence that sensitive information, such as passwords or financial data, was compromised.
How to stay safe after a SoundCloud breach
If you have or have had a SoundCloud account, it’s crucial to act now. Even minor data leaks can lead to targeted scams if not addressed.
1) Be cautious of phishing and spoofed emails
Fraudsters often act quickly following a breach. Monitor your inbox for messages that mention SoundCloud, music uploads, copyright issues, or account warnings. It’s wise to avoid clicking links or opening attachments from unexpected emails. If unsure, go directly to the official website instead of using links from emails. Robust antivirus software can provide additional security here.
2) Change your SoundCloud password anyway
Even if your password wasn’t exposed, changing it is still advisable. Choose a new password that you haven’t used elsewhere to enhance security. If remembering multiple passwords is a challenge, consider a password manager for generating strong, unique passwords and storing them securely.
3) Turn on two-factor authentication
Enabling two-factor authentication (2FA) adds an extra layer of security. It requires a second form of verification if someone tries to access your account, which can thwart unauthorized access even if your password is compromised. Activate 2FA for SoundCloud and any linked services.
4) Secure your email account
Your email often becomes the main target following breaches. Gaining access to it can allow attackers to reset passwords for other accounts. Use strong, unique passwords for your email and enable 2FA. It’s also important to verify that your recovery email and phone number are current.
5) Reduce your online data footprint
Compromised emails can lead attackers to data broker sites and social media for more information. Minimizing online data can complicate efforts to target you. Consider using a data deletion service to help control the exposure of your personal information online.
6) Check other accounts for suspicious activity
After a breach, attackers often test compromised email accounts against various platforms, such as streaming services, social media, and shopping sites. Be wary of unsolicited password reset requests and alerts about logins from unfamiliar locations. If anything seems amiss, take action promptly.
In summary, data breaches, like the one at SoundCloud, demonstrate that even so-called harmless public information can lead to significant risks. Ongoing vigilance, cautious data sharing, and solid security practices remain your best defense against these threats.
