According to TechRepublic, audio streaming platform SoundCloud has confirmed a cyberattack that compromised data from approximately 28 million user accounts, which represents about 20% of its entire user base. The breach was discovered through unauthorized activity in an internal “ancillary service dashboard.” The notorious hacking group ShinyHunters, known for a similar attack on PornHub, has been identified as the perpetrator. The intrusion has already caused widespread connection failures and cryptic error messages for users around the world. While SoundCloud states no passwords or financial data were taken, the hackers made off with email addresses combined with publicly visible profile information.
The ShinyHunters Playbook
Here’s the thing about ShinyHunters: they’re not your smash-and-grab ransomware crew. They’re data extortion specialists. Their move is to find a backdoor—like that “ancillary service dashboard”—which is often less fortified than the main user-facing systems. They slip in, take the data, and then the real game begins. This breach is a textbook example of a worrying trend. Why bother with encrypting systems and demanding a ransom when you can just steal a clean database of emails and user details? It’s quieter, harder to detect immediately, and frankly, the data might be more valuable on the dark web for phishing. Pairing an email with a public profile (like a musician’s name or location) gives scammers a huge head start in crafting believable, targeted attacks. It’s a nightmare for the creative community that relies on SoundCloud.
When The Fix Breaks Things
Now, the aftermath has been almost as messy as the breach itself. In their scramble to lock things down, SoundCloud’s security team made configuration changes that had a massive unintended consequence: they blocked a ton of legitimate VPN and proxy traffic. Users in places like Russia, China, and Turkey started seeing “403 Error” messages, thinking they were being geo-blocked. But nope—it was just collateral damage from emergency security hardening. To make matters worse, the company then got hit with follow-up denial-of-service attacks. It’s a brutal one-two punch. You get hacked, then you implement aggressive fixes that break service for a chunk of your users, and then while you’re dealing with *that*, you get DDoS’d. It shows how complex incident response really is. Sometimes, in the race to close the barn door, you accidentally lock out the horses.
What This Means For You
So, what should the 28 million affected users do? SoundCloud’s official advice, detailed in their playbook article, is to change your password and enable two-factor authentication immediately. That’s non-negotiable. But you need to go further. Be hyper-vigilant for phishing emails that now might know you’re a SoundCloud user or even reference your artist name. They’ll look convincing. Basically, treat any unsolicited email with extreme skepticism for the foreseeable future. And if you rely on a VPN to access the service? You might be out of luck for a while. SoundCloud hasn’t given a timeline for restoring that access, which is a real problem for users in regions with restrictive internet policies. For more technical details on the breach and VPN disruption, BleepingComputer has a solid breakdown.
A Shaky Time For Streaming
This breach hits SoundCloud at a precarious moment. They’re already battling giants like Spotify and Apple Music for market share. Trust is everything in streaming, and an event like this shakes that foundation. It also highlights a strategic vulnerability. As platforms like Spotify push forward with new AI music partnerships and features, they’re amassing more data. That data becomes a juicier target. The incident is a stark reminder that for every cool new feature, there needs to be an equivalent investment in securing the less-sexy backend systems—the “ancillary dashboards” that hackers love to target. For SoundCloud, the path forward isn’t just about patching a hole. It’s about convincing artists and listeners that their platform is a secure home, not just a convenient one. That’s a much harder tune to write.
