According to IThome, music streaming platform SoundCloud has recently uncovered a security incident in which unauthorized access to one of its peripheral service dashboards allowed the attacker to map the email addresses of about 20% of its users to data that could have been viewed on its public profile page. Have I Been Pwned (HIBP), a data leakage tracking website, documented the incident, pointing out that there were about 29.8 million affected accounts, and that the leaked data contained about 30 million unique email addresses, which allowed the attackers to bind the public profile information to a specific email address, and the related data was even publicly released the following month.

SoundCloud provided a note on December 15, 2025, stating that once the team detected the unauthorized activity, they activated their incident response procedures and quickly stopped it, and commissioned a third-party information security expert to assist in the investigation. The company emphasized that the data affected this time did not include passwords or financial information, but mainly involved email addresses and public profile information.

According to SoundCloud, after handling this information security incident, the platform was immediately hit by a Denial of Service (DoS) attack, in which two attacks even affected the website's experience for a time. The company subsequently adjusted the relevant settings to strengthen monitoring, threat detection, as well as identity and access control mechanisms, but some users using VPNs had temporary connectivity problems as a result, and the official said that it was continuing to repair the situation. The official said it is continuing to fix the situation.

In a follow-up announcement on January 13th, SoundCloud pointed out that the attacker group claiming to be involved in the incident had recently made various requests to the company, harassed users, employees and partners with email flood attacks, and repeatedly claimed to have gained access to sensitive information on the platform. In response, SoundCloud said it has no evidence to substantiate these claims, and that the company has further strengthened its perimeter protection and DoS attack detection and mitigation capabilities, and is conducting a comprehensive review of its services and remediating potential system vulnerabilities.

HIBP added this incident to its data breach list on January 27th. The site lists the types of data affected, including email addresses, names, usernames, avatars, geographic locations, and profile statistics. Since email addresses are often used as login IDs or external contact channels, once they are bound to public profiles, it is easier for outsiders to target specific people for spamming, or to send messages disguised as mature people or customer service through social engineering techniques, greatly increasing the chance of misinformation from victims.

SoundCloud recommends that users maintain basic account and email protection habits and pay close attention to suspicious messages and phishing tactics. SoundCloud emphasizes that it will never ask users for passwords or account credentials in any way, and that users should avoid clicking on links or responding to suspicious messages, so as to prevent the leaked information from being used by unscrupulous people for further identity impersonation, which could lead to a wider range of damages.