editorially independent. We may make money when you click on links
to our partners.
Learn More
SoundCloud has confirmed a security breach after users reported widespread access issues and VPN-related outages, revealing that threat actors accessed a database containing user information.
The incident disrupted service availability and exposed account data tied to millions of users, raising concerns about downstream abuse even though no passwords or financial data are reported to be compromised.
In a statement shared with BleepingComputer, SoundCloud said it detected “unauthorized activity involving an ancillary service dashboard” and immediately activated its incident response procedures.
The company added that while some data was accessed, “no sensitive data (such as financial or password data) has been accessed,” and the exposed information was limited to email addresses and details already visible on public SoundCloud profiles.
What the SoundCloud Breach Means for Users
The breach affects a widely used consumer platform with a massive global user base, meaning even limited data exposure can have meaningful security implications at scale.
BleepingComputer reports that approximately 20% of SoundCloud’s users were impacted, which — based on publicly available figures — could equate to roughly 28 million accounts.
While the data itself may be non-sensitive, exposed email addresses can be leveraged for phishing campaigns, credential stuffing attempts, or social engineering attacks targeting users.
SoundCloud stated that it has blocked all unauthorized access and does not believe there is any ongoing risk to the platform.
The company also said it is working with third-party cybersecurity experts to strengthen its defenses, including improving monitoring and threat detection, reviewing identity and access controls, and assessing related systems to prevent similar incidents.
VPN Access Issues Reveal SoundCloud Breach
The breach came to light after users began reporting repeated HTTP 403 forbidden errors when attempting to access SoundCloud through VPN connections.
While some users initially believed the platform had intentionally blocked VPN traffic, SoundCloud later clarified that the disruption was the result of configuration changes made during its security response.
Following its containment efforts, SoundCloud also experienced denial-of-service attacks that temporarily impacted the availability of its website.
Ancillary Dashboard Access Led to Data Exposure
According to SoundCloud, attackers gained access through an ancillary service dashboard rather than the company’s core production systems.
While additional details about the intrusion method remain limited, access to internal dashboards can still expose large datasets and create opportunities for extortion or follow-on attacks.
SoundCloud has not publicly identified the threat actor responsible.
However, BleepingComputer reported receiving information from a source claiming that the ShinyHunters extortion group was behind the attack and is attempting to extort the company after allegedly stealing the database.
Practical Steps to Improve Cyber Resilience
The following measures outline practical steps organizations can take to reduce risk and improve visibility.
- Educate users about increased phishing risk and encourage caution with unsolicited emails or messages referencing SoundCloud activity.
- Secure ancillary and non-core systems by enforcing least-privilege access, auditing permissions, and applying the same security standards as core infrastructure.
- Strengthen identity and access management by shortening session lifetimes, rotating credentials, and invalidating active sessions after an incident.
- Improve monitoring and detection with detailed logging and real-time alerts for anomalous access to dashboards, APIs, and administrative tools.
- Test and refine incident response playbooks to ensure security controls and configuration changes do not unintentionally disrupt legitimate user access.
- Increase visibility into third-party and internal services while expanding post-incident abuse monitoring to detect phishing, data misuse, or follow-on attacks.
Taken together, these steps support stronger cyber resilience by improving an organization’s ability to reduce exposure, detect abnormal activity early, and respond to incidents.
The Growing Risk of Non-Core System Breaches
The SoundCloud incident illustrates a broader pattern in which attackers increasingly focus on secondary systems and widely accessible platforms as efficient ways to collect data or apply extortion pressure.
Even when the exposed information is limited, the scale of large consumer platforms can amplify the impact and create meaningful downstream risk.
As digital ecosystems grow more complex, the incident underscores that cyber resilience requires securing both core infrastructure and the supporting services attackers often target first.
This shift highlights why many organizations are turning to zero-trust principles that limit implicit trust and reduce the impact of compromise across both core and supporting systems.
