SoundCloud Confirms Breach Affecting 28 Million Users
ShinyHunters cyber extortion group targets SoundCloud, compromising 20% of users and launching DDoS attacks. Company confirms email addresses exposed.
Audio streaming platform SoundCloud has confirmed a security breach affecting approximately 20% of its user base—roughly 28 million accounts—followed by denial-of-service attacks that temporarily disrupted the service. The notorious ShinyHunters cyber extortion group is believed responsible and is demanding payment to prevent data from being leaked.
What Happened
SoundCloud disclosed the incident on Monday, December 16, 2025, confirming that attackers breached a secondary administrative system used for internal operations. According to Help Net Security, the company launched its incident response procedures upon detection and brought in external cybersecurity specialists to assist with containment and investigation.
Following the initial breach, SoundCloud was hit by two separate denial-of-service attacks that temporarily disrupted website access for users. The company has since made configuration changes to address these attacks.
Data Compromised
SoundCloud stated that the stolen data consists of:
- Email addresses
- Information already visible on public SoundCloud profiles
The company emphasized that no financial data, passwords, or other sensitive information was accessed in the breach. However, the combination of email addresses with public profile information could enable targeted phishing attacks against affected users.
The ShinyHunters Connection
While SoundCloud did not publicly name the attackers, security researchers have attributed the breach to ShinyHunters, a well-known cyber extortion group with a history of high-profile data thefts.
ShinyHunters operates on a extortion model: they breach organizations, steal data, and demand payment to prevent public release. If victims refuse to pay, the data is typically sold on underground forums or leaked publicly.
The group's previous targets include:
- Microsoft (GitHub repositories)
- Tokopedia
- Wattpad
- Pixlr
- Bonobos
- AT&T
Their involvement suggests SoundCloud users should prepare for potential data exposure if negotiations fail.
Multi-Stage Attack Pattern
This incident demonstrates an increasingly common attack pattern where threat actors combine data theft with disruptive attacks:
- Initial Breach: Unauthorized access to obtain sensitive data
- Extortion Demand: Threat to leak or sell stolen data
- DoS Attacks: Additional pressure through service disruption
- Public Pressure: Media attention amplifies leverage
The DDoS attacks serve multiple purposes: they demonstrate the attacker's capabilities, create additional pressure on the victim organization, and generate media coverage that increases reputational damage.
SoundCloud's Response
The company has taken several steps:
- Activated incident response protocols
- Engaged third-party cybersecurity experts
- Implemented configuration changes to mitigate DoS attacks
- Committed to sharing updates as the situation develops
SoundCloud stated they believe "attackers no longer have access to their data," though the investigation remains ongoing.
What Affected Users Should Do
If you have a SoundCloud account, take these precautions:
Immediate Actions
- Be alert for phishing emails claiming to be from SoundCloud, music labels, or collaboration requests
- Verify sender addresses carefully before clicking any links
- Enable two-factor authentication on your SoundCloud account if not already active
- Change your password as a precautionary measure, especially if you reuse passwords across services
Monitor For
- Unexpected login notifications
- Unauthorized changes to your profile
- Suspicious collaboration requests or messages
- Emails requesting account verification or password resets
The Broader Context
This breach comes amid a surge of attacks against entertainment and media platforms. Streaming services hold valuable user data including listening habits, location information, and payment details—making them attractive targets.
The music industry specifically faces unique challenges:
- Large user bases with varying security awareness
- Creator accounts with potential access to unreleased content
- Integration with payment processors for subscriptions and royalties
- Social features that create rich profile data
Industry Implications
SoundCloud's handling of this breach will be closely watched. Key questions include:
- Will SoundCloud pay the extortion demand?
- How will they notify affected users?
- What regulatory responses might follow (particularly under GDPR)?
- Will ShinyHunters follow through on leak threats?
The extortion economy continues to thrive because some organizations pay. Each payment validates the business model and funds future attacks.
Resources
SoundCloud users should remain vigilant for phishing attempts and monitor their accounts for suspicious activity. We will update this article as the situation develops.
Related Articles
17.5 Million Instagram Accounts Leaked on BreachForums
A threat actor shared Instagram user data including emails and phone numbers for free. Users report receiving suspicious password reset emails within hours of the leak.
Jan 10, 2026Hacker Selling 139GB of US Utility Engineering Data
Pickett USA breach exposes LiDAR scans, transmission line surveys, and substation layouts for Tampa Electric, Duke Energy Florida, and American Electric Power. Asking price: 6.5 BTC.
Jan 9, 2026ASML Breach Claim: 154 Databases and Encryption Keys Leaked
Threat actor '1011' posted alleged data from the semiconductor equipment giant to a Russian cybercrime forum. Security researchers are verifying the files.
Jan 7, 2026Blue Shield California Exposes Member Health Data in Portal Error
System enhancement gone wrong allowed members to view other members' names, diagnoses, and medications. The insurer is offering affected individuals credit monitoring.
Jan 7, 2026