Last updated 1 month ago
SoundCloud, a Germany-based audio streaming technology platform, discovered unauthorized activity on its platform in December 2025 and disclosed the incident the same month. The breach exposed approximately 29.8 million records, impacting roughly 20% of SoundCloud's user base. The incident involved mapping of publicly available profile information to associated email addresses.
The attack involved unauthorized access that enabled an attacker to correlate publicly accessible SoundCloud profile data with email addresses. The exfiltrated data included 30 million unique email addresses, names, usernames, avatar images, follower and following counts, and in some cases user country information. Attackers later attempted to extort SoundCloud before publicly releasing the data the following month.
Following the breach disclosure, attackers publicly released the stolen data in January 2026 after their extortion attempt against SoundCloud. The company has not disclosed whether any ransom was paid or provided details about containment or remediation measures implemented following the incident.
Unauthorized activity allowed mapping of publicly available profile data to email addresses
SoundCloud's breach demonstrates the risk of correlating publicly accessible user profile data with private identifiers like email addresses, even when individual data elements may not seem sensitive. Technology platforms with large user-generated content repositories must implement stricter access controls between public-facing APIs and backend user databases. The incident highlights how attackers can monetize seemingly benign profile information when linked to contact data, creating extortion opportunities.
Sign in to join the discussion.
Company
Industry
Location
Discovered
Disclosed
Records Affected
Attack Vector