SoundCloud Data Breach Exposes 30M Accounts As Extortion Gang Dumps Stolen Data
SoundCloud, best known as a home to indie musicians including the popular "SoundClown" comedy remixers, has been hit with a major data breach that includes the avatars, email addresses, names, usernames, locations, and profile statistics of nearly 30 million (29.8 million) accounts. This breach follows demands from an extortion group that has now made good on its threat to dump the stolen information.
The breach, apparently performed by the black hat gang ShinyHunters, was confirmed by the platform itself; in a statement to BleepingComputer, SoundCloud stated that "We understand that a purported threat actor group accessed certain limited data that we hold. We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed. The data involved consisted only of email addresses and information already visible on public SoundCloud profiles." The scale of the attack apparently impacted roughly 20% of all SoundCloud users, but no data suggests that key credentials were compromised.
Even so, there is some cause for alarm, particularly considering the recent mega-leak of over 149 million accounts across email, social media, and gaming services. Accounts compromised there that share passwords with the corresponding SoundCloud accounts can now be exploited. One of the most common practices among cybercriminals involves "credential stuffing," or using bots to attempt mass logins to shared accounts with previously-leaked passwords, including those from other services. As always, we stress the need for readers to periodically refresh their passwords. Also, you should consider a password manager and/or two-factor authentication wherever possible to mitigate the risk of these breaches when they happen.
Insofar as data breaches go, though, this is certainly one of the less concerning incidents I've reported on recently, thanks to the lack of password or private financial information included. While some alarm should be present thanks to its proximity to other, more major security breaches, most end users likely have little to worry about, and can continue using SoundCloud freely. Ironically, per BleepingComputer, the inability to use SoundCloud freely contributed to the initial report of this breach, since SoundCloud only confirmed the attack after users on VPN services reported the site becoming unusable.
