A major data breach involving SoundCloud has come to light, affecting almost 29.8 million user accounts worldwide. The incident was recently added to the database of Have I Been Pwned (HIBP), a well-known platform that tracks and reports data leaks. While no passwords or payment details were exposed, the scale of the breach has raised serious concerns about user privacy and the growing risks of phishing and online scams.
What Happened?
The breach occurred after attackers gained unauthorised access to an internal SoundCloud system, described as an ancillary or non-core service dashboard. This system was not part of SoundCloud’s main platform but still contained large amounts of user information. Once the unusual activity was detected, SoundCloud activated its incident response process and began securing its systems. Around the same time, some users reported service disruptions, including login issues and temporary access problems, likely linked to follow-up attacks.
How Many Users Were Affected?
According to data published by Have I Been Pwned, approximately 29.8 million SoundCloud accounts were impacted. This represents roughly one-fifth of SoundCloud’s total user base, making it one of the larger breaches involving a music streaming platform in recent years. The breach was officially added to the HIBP database in January 2026, allowing users to check whether their email addresses were involved.
What Information Was Exposed?
The leaked data mainly consisted of public and semi-public profile information, including:
- Email addresses
- Usernames and display names
- Profile images (avatars)
- Follower and following counts
- In some cases, the user’s country
Importantly, passwords, financial information, and private messages were not compromised. While this limits the immediate damage, exposed email addresses combined with profile details can still be valuable to attackers.
Why This Still Matters
Even without passwords, this kind of data can be used for phishing and social engineering attacks. Cybercriminals can craft convincing emails that appear to come from SoundCloud, referencing real usernames or profile details to gain trust. With nearly 30 million email addresses exposed, the breach creates a large pool of potential targets for scams.
What Users Should Do Now
If you have a SoundCloud account, it’s a good idea to take a few precautionary steps:
- Check your email address on Have I Been Pwned to see if it was affected.
- Change your SoundCloud password, especially if you reuse passwords across services.
- Enable two-factor authentication (2FA) wherever possible.
- Stay alert for suspicious emails or messages claiming to be from SoundCloud.
Final Thoughts
While SoundCloud has stated that sensitive credentials were not exposed, the sheer size of the breach makes it significant. It’s another reminder that even well-known platforms can be vulnerable, and that users should remain proactive about protecting their online accounts and personal information.
