Last updated 1 week ago
In December 2025, SoundCloud discovered unauthorized activity on its platform that enabled an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The breach impacted 29.8 million unique email addresses along with associated personal information including names, usernames, avatars, follower and following counts, and in some cases, user country data. Following the discovery, the attackers attempted to extort SoundCloud before publicly releasing the stolen data the following month. The incident highlights risks associated with mapping publicly accessible profile information to private email addresses.
Unauthorized activity allowed mapping of public profile data to email addresses
Security controls failed to prevent unauthorized mapping between public profile data and private email addresses. Recommendations include implementing stricter access controls between public and private data repositories, enhancing API security to prevent unauthorized data correlation, and establishing better monitoring for unusual data access patterns that could indicate mapping activities.
Company
Industry
Location
Discovered
Disclosed
Records Affected
Attack Vector