Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database exposing users’ email addresses and profile information.
The disclosure follows widespread reports over the past four days from users who were unable to access SoundCloud when connecting via VPN, with attempts resulting in the site displaying 403 “forbidden” errors.
In a statement shared with BleepingComputer, SoundCloud said it recently detected unauthorized activity involving an ancillary service dashboard and activated its incident response procedures.
SoundCloud acknowledged that a threat actor accessed some of its data but said the exposure was limited in scope.
“We understand that a purported threat actor group accessed certain limited data that we hold,” SoundCloud told BleepingComputer.
“We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed. The data involved consisted only of email addresses and information already visible on public SoundCloud profiles.”
BleepingComputer has learned that the breach affects 20% of SoundCloud’s users, which, based on publicly reported user figures, could impact roughly 28 million accounts.
The company said it is confident that all unauthorized access to SoundCloud systems has been blocked and that there is no ongoing risk to the platform.
Working with third-party cybersecurity experts, the company said it took additional steps to strengthen its security, including improving monitoring and threat detection, reviewing identity and access controls, and conducting an assessment of related systems.
However, the company’s response included a configuration change that disrupted VPN connectivity to the site. SoundCloud has not provided a timeline for when VPN access will be fully restored.
Following the response, SoundCloud experienced denial-of-service attacks that temporarily disabled the platform’s web availability.
After publishing our story, SoundCloud published a security notice with this information.
While SoundCloud has not shared details about the threat actor behind the breach, BleepingComputer received a tip earlier today stating that the ShinyHunters extortion gang was responsible.
Our source said that ShinyHunters is now extorting SoundCloud after allegedly stealing a database containing information about its users.
ShinyHunters is also responsible for the PornHub data breach that was first reported today by BleepingComputer.
This is a developing story, and we will update it as more information becomes available.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.
