SoundCloud’s December 2025 security incident has turned out to be far larger than initially disclosed. Fresh disclosures now confirm that data linked to nearly 29.8 million SoundCloud user accounts was exposed and later released online. This makes it one of the biggest breaches in the platform’s history.
When SoundCloud first confirmed the incident in December, the company said unauthorized activity was detected in an ancillary service dashboard. It stated that only limited data was accessed and that no passwords, financial details, or private content were compromised. SoundCloud also said the issue affected around 20 percent of its users and had been fully contained.
New findings from data breach tracking service Have I Been Pwned now put a clearer number on that estimate. According to the service, attackers harvested data from 29.8 million accounts. The exposed information includes email addresses, names, usernames, profile photos, follower and following counts, and in some cases, the user’s country.
While much of this information was already visible on public SoundCloud profiles, the key issue is that it was linked to private email addresses. This significantly increases the risk of phishing, spam, and targeted scams. Security experts point out that once such datasets are released publicly, they are difficult to contain or take down.
The breach has been attributed to the ShinyHunters hacking group. SoundCloud had earlier acknowledged that the attackers attempted to extort the company and used email flooding tactics to harass users, employees, and partners. Reports now suggest that the group released the stolen data after extortion attempts failed.
SoundCloud has not issued a fresh public statement following the latest disclosure. It is also unclear whether all affected users will be notified directly. The company had earlier said it strengthened monitoring systems, reviewed access controls, and added more security checks after the incident.
This development changes how the December breach should be viewed. What was initially described as a limited exposure now appears to be a mass data leak with long-term privacy risks for millions of users. It also highlights a growing trend where attackers weaponise even public data by combining it with private identifiers like email addresses.
Users are advised to stay alert for phishing emails, avoid clicking on unknown links, and consider using email filters or aliases. The SoundCloud incident is another reminder that large platforms remain attractive targets and that the real impact of breaches often becomes clear only weeks or months later.
