SoundCloud Breach Exposes 29.8M Users – And We Only Found Out Later

A massive SoundCloud data breach from December 2025 has now been confirmed in scope; not by SoundCloud itself, mind you, but by outside security researchers who analyzed leaked data after attackers attempted to extort the company and then dumped the information publicly.

Nearly 29.8 million user accounts were affected. Most users were never directly warned. The full picture only emerged months later, once the stolen data began circulating and was indexed by breach-tracking services, including Have I Been Pwned, a giant in the industry.

This is the part that should worry everyone: the platform didn’t come forward with the scale of the damage — researchers did.

What Actually Happened

According to cybersecurity researchers, attackers (a group known as ShinyHunters, an infamous ransomware gang)  gained unauthorized access to SoundCloud systems in December 2025. After exfiltrating a large dataset, they attempted to extort the company, demanding payment in exchange for keeping the stolen data private.

When that didn’t work, the attackers released the data publicly. Independent analysis of the leaked files later showed that roughly 29.8 million accounts were impacted. The exposed data included:

• Email addresses.
• Usernames and display names.
• Profile and avatar information.
• Follower and following counts.
• Location data in some cases.

No passwords or payment details were found in the dataset, but that doesn’t mean affected users are safe. Email-based breaches are prime fuel for phishing, account takeovers elsewhere, and long-term identity profiling.

The key point: this information came from third-party analysis, not a proactive disclosure by SoundCloud.

Why “Just Emails” Is Still Dangerous

Companies love to downplay breaches by saying no passwords were leaked. That’s technically accurate here – and completely misleading.

Email addresses tied to real profiles are incredibly valuable. They allow attackers to:

• Send highly convincing phishing emails.
• Impersonate customer support teams or platform notifications.
• Target users across other services using the same email.
• Build long-term identity profiles for future attacks.

Once your data is out, it doesn’t expire. It gets copied, sold, merged with other leaks, and reused indefinitely.

And because the breach wasn’t loudly disclosed at the time, many users felt they had no reason to change passwords or be on alert when it mattered most.

The Bigger Problem: You’re Always the Last to Know

This breach isn’t unusual; it’s just another example of how the internet actually works now. Companies find out that something went wrong. Details stay vague or minimized. Attackers leak data anyway. Researchers piece together the truth. Users clean up the mess.

Even massive platforms aren’t immune. Even “non-critical” breaches have real consequences. And waiting for companies to be transparent is a losing strategy.

If SoundCloud (a global platform with millions of users) can lose data, get extorted, and still not be the primary source of truth about what happened, that tells you everything you need to know.

Final Take

This wasn’t SoundCloud coming clean. This was researchers connecting the dots after the damage was already done. The breach happened in December 2025. The extortion attempt happened quietly. The public learned the truth later, as usual.

If you’re not actively protecting yourself and the people around you online, no one else will. Because history keeps proving the same thing: big platforms fail. Attackers don’t. And you, as a user, always pay the price.