SoundCloud Breach Exposes 28 Million Accounts in ShinyHunters Attack
By Trevor Loucks
Founder & Lead Developer, Dynamoi
SoundCloud has confirmed a massive security breach affecting nearly 20% of its user base, exposing the email addresses and profile data of approximately 28 million accounts. While the Berlin-based platform has contained the initial intrusion, the fallout has triggered a chaotic chain of operational disruptions that are headache-inducing for digital strategists and artist managers.
As of Tuesday, December 16, 2025, the service is battling on two fronts: securing the compromised data and mitigating retaliatory Denial of Service (DoS) attacks. For the music industry, this isn't just a tech story; it is a wake-up call regarding the fragility of the digital supply chain that powers A&R discovery and demo sharing.
Inside the 28 million figure
The breach did not occur through the main consumer app, but via an "ancillary service dashboard"—a secondary internal system likely used for analytics or operations. While technical teams might appreciate the distinction, the scale of the leak is significant.
Here is the damage report:
- The scope: 20% of active users, translating to roughly 28 million accounts.
- The exposure: Email addresses and public profile data are in the wild.
- The silver lining: SoundCloud states that passwords, financial details, and biometric data remain secure.
Key insight: The compromised data is limited to contact info, but in the music business, an artist's email is a gateway key. The real risk now is not direct account theft, but highly targeted social engineering.
ShinyHunters vs. The Dashboard
Although SoundCloud officially attributes the attack to a "purported threat actor group," security analysts have linked the intrusion to ShinyHunters. This cyber-extortion gang specializes in harvesting databases from digital platforms to hold them for ransom.
The entry point serves as a critical lesson for label operations leads: the "ancillary dashboard" vulnerability proves that a platform is only as secure as its least-monitored internal tool. When evaluating tech partnerships, executives must scrutinize the security of the entire ecosystem, not just the consumer-facing frontend.
The 403 error fallout
In a defensive maneuver to stop the data exfiltration, SoundCloud implemented aggressive configuration changes that blocked Virtual Private Network (VPN) access. This decision prioritized system integrity over connectivity, but the cost was immediate global fragmentation.
- The disruption: Users relying on VPNs began hitting
HTTP 403errors starting December 13. - The geography: This effectively cut off legitimate users in territories like Russia, Turkey, and mainland China where VPNs are essential for access.
- The volatility: Even after the breach was contained, retaliatory DoS attacks temporarily disabled the web interface, forcing A&Rs to rely on mobile apps and APIs which remained stable.
Protecting the digital supply chain
For managers and label reps, the immediate threat is "phishing migration." Threat actors often use fresh databases to craft convincing emails—posing as royalty collection societies or DSP support—to steal credentials for higher-value targets like Spotify for Artists or bank accounts.
The risk: Managers often reuse passwords or fail to enable Multi-Factor Authentication (MFA) on demo accounts.
The fix: Assume every SoundCloud-associated email is public. Rotate passwords immediately if they were reused elsewhere, and enforce MFA across your roster's entire digital footprint. Furthermore, this instability may accelerate the industry's shift away from using SoundCloud for private pre-release assets, pushing sensitive content toward dedicated B2B tools like Disco or Box.
About the Editor
Trevor Loucks is the founder and lead developer of Dynamoi, where he focuses on the convergence of music business strategy and advertising technology. He focuses on applying the latest ad-tech techniques to artist and record label campaigns so they compound downstream music royalty growth.
