Audio streaming giant SoundCloud has confirmed that cybercriminals infiltrated their systems and accessed data from approximately 28 million user accounts.
That’s 20% of the platform’s entire user base, disclosed following detection of unauthorized activity in an internal service dashboard.
The breach has already triggered widespread chaos across the platform, with users worldwide reporting connection failures and cryptic error messages. SoundCloud immediately enlisted external cybersecurity specialists and launched a comprehensive investigation after discovering the intrusion. While the company insists that no passwords or financial data were compromised, the aftermath continues creating headaches for millions of music lovers globally.
Hackers managed to steal email addresses combined with publicly visible profile information—a combination that security experts warn creates perfect conditions for sophisticated phishing campaigns targeting the platform’s creative community.
The attack
Behind this sophisticated attack lies ShinyHunters, a notorious data extortion group that BleepingComputer identified as the masterminds. The same cybercriminal organization made headlines for another high-profile breach targeting PornHub, showcasing their aggressive campaign against major platforms.
The hackers penetrated what SoundCloud described as an “ancillary service dashboard”—essentially a secondary system supporting platform operations rather than the main consumer-facing service. Security investigators confirmed this strategic approach allowed the criminals to access user data while avoiding more heavily protected primary systems.
The timing couldn’t be worse for SoundCloud as the platform battles for market share against streaming giants like Spotify and Apple Music. While the exposed information consisted only of details already visible on public profiles paired with email addresses, data reveals this data combination has become increasingly valuable to cybercriminals launching targeted social engineering attacks against creative professionals and music enthusiasts.
VPN chaos and denial-of-service mayhem
SoundCloud’s security response unleashed an unexpected cascade of technical problems that left users scratching their heads across multiple countries. Users in Russia, China, and Turkey began encountering “403 Error” messages when attempting to access SoundCloud through VPN services.
What initially appeared to be intentional geo-blocking turned out to be an unintended consequence of emergency security configuration changes implemented to contain the breach. The platform’s troubles multiplied when cybercriminals launched coordinated denial-of-service attacks following the initial containment efforts.
Two of these attacks successfully disrupted web access temporarily, though mobile apps and core streaming functionality remained operational. SoundCloud acknowledged that its aggressive security hardening measures, including enhanced Web Application Firewall policies, inadvertently blocked legitimate users connecting through VPN or proxy services.
Industry sources confirmed these connectivity issues stemmed from configuration changes made during their security response rather than deliberate access restrictions.
What this means for millions of music lovers
SoundCloud has implemented a comprehensive security overhaul that includes enhanced monitoring systems, reinforced access controls, and a complete audit of related infrastructure, working with third-party experts. The company strongly recommends that all users change their passwords immediately and enable two-factor authentication to protect against potential phishing attempts using the stolen email addresses.
The incident highlights a growing trend where cybercriminal groups like ShinyHunters focus on data theft rather than traditional ransomware encryption, making detection more challenging for security teams.
Users should remain vigilant for suspicious emails that reference their SoundCloud activity or attempt to trick them into revealing additional personal information. Unfortunately, SoundCloud has not provided a timeline for restoring full VPN access, leaving millions of users in affected regions uncertain about when normal connectivity will resume.
More bad news blues. An unsecured database exposed 4.3 billion LinkedIn-derived records, enabling large-scale phishing and identity-based attacks.
