SoundCloud Extortion Campaign Hits 29.8 Million Users After Massive Leak Confirmed
The data, which first surfaced in mid-December 2025, represents more than just a statistical failure; it marks a transition from a corporate security incident to a targeted weaponization of user identities.
The PR Deflection vs. Reality
SoundCloud’s official stance has been one of damage control, emphasizing that hackers did not steal "sensitive" credentials like passwords or financial data. However, security analysts argue this is a tactical PR deflection. By mapping private email addresses to public profile handles, the attackers have stripped away the layer of anonymity many creators rely on.
The compromised data includes:
-
Unique email addresses and corresponding usernames
-
Full names and profile avatars
-
Geographic locations and country-specific data
-
Specific account metrics, including follower counts and social reach
The breach traces back to an insecure administrative API—a legacy dashboard used for promotional services that remained active despite being outdated. By exploiting this internal structure, the attackers scraped comprehensive profiles without triggering the platform’s primary rate-limiting defenses.
ShinyHunters and the Extortion Playbook
The notorious threat actor group ShinyHunters claimed responsibility for the hit. Known for high-profile raids on giants like Microsoft, Ticketmaster, and AT&T, the group follows a predictable but effective pattern: steal the data, demand a ransom, and leak the records when the company refuses to pay.
SoundCloud reportedly ignored the group's demands in late December, leading to the full database dump on the dark web last week. This is not a static data leak. SoundCloud updated its security advisory on January 13, acknowledging that criminals are already using the data to harass both employees and high-profile users.
Instead of generic spam, attackers are launching sophisticated spear-phishing strikes. For example, some creators have reported receiving emails that reference their exact follower counts and geographic location, posing as "SoundCloud Artist Support" to offer account verification or monetization "upgrades." These messages are designed to lure users to spoofed login pages to capture the passwords that weren't included in the original breach.
The Pivot to Credential Stuffing
The risk to the audio community extends beyond simple identity theft. For musicians, podcasters, and independent labels, a SoundCloud profile is a brand asset. The availability of email addresses paired with usernames provides a roadmap for "credential stuffing" attacks.
Hackers are currently running automated scripts to test these email/username combinations against other high-value targets, such as Gmail, Instagram, or banking portals. If a creator uses the same credentials across their digital footprint, the SoundCloud leak becomes the master key to their entire professional presence.
Legal firms are already circling the incident, suggesting that the exposure of Personally Identifiable Information (PII) constitutes a failure of duty under modern data protection laws. For the 29.8 million people affected, the focus must now shift to defensive posture.
Security professionals are urging users to secure their verified badges and brand accounts by enabling hardware-based two-factor authentication (2FA) and rotating passwords immediately—even if SoundCloud claims your "sensitive" data is safe.