SoundCloud Leak: 29.8M Users Exposed to Targeted Phishing

A New Threat for SoundCloud Creators and Fans

On January 27, 2026, the data breach notification service Have I Been Pwned officially added a massive database containing the details of 29.8 million SoundCloud users. The incident highlights a dangerous and increasingly common type of data breach: de-anonymization. By linking previously non-public email addresses to public profile information, attackers have created a powerful tool for launching highly convincing scams.

What Happened? A Timeline of the Breach

This was not a direct hack of SoundCloud's servers where attackers stole passwords. Instead, it was a sophisticated data correlation attack that unfolded over several weeks.

• December 2025: Attackers scraped publicly available data from millions of SoundCloud profiles, including usernames, full names, and follower counts.
• Data Correlation: This public data was then cross-referenced and mapped against email addresses obtained from other, separate data breaches. This crucial step connected public personas to private email accounts.
• Early January 2026: The attackers attempted to extort SoundCloud, but their demands were not met.
• Mid-January 2026: Following the failed extortion, the attackers released the entire correlated database on a public hacking forum.

SoundCloud's official statements have emphasized that no passwords or financial information were compromised in this incident.

The Real Danger: De-Anonymization and Targeted Attacks

The primary risk from this leak isn't a direct account takeover, but the potential for hyper-targeted phishing and social engineering campaigns. With this data, threat actors can now craft emails that appear incredibly legitimate.

The leaked database contains:

• Non-public email addresses
• Public usernames and full names
• Public follower counts and other profile metrics

Imagine an artist receiving an email sent to their private address that says, "Hi [Artist Name], we see you have [X] followers on SoundCloud and want to offer you a promotion for your latest track." This level of personalization makes a scam far more believable than a generic message, tricking users into clicking malicious links or revealing sensitive credentials for other services.

How to Protect Yourself Now

Even though your SoundCloud password is safe, all users should take immediate steps to secure their digital identity.

1. Check Your Exposure: Visit the Have I Been Pwned website to see if your email address was included in this breach or any others. This provides crucial awareness of your risk profile.

2. Enable Two-Factor Authentication (2FA): Add a second layer of security to your SoundCloud account. This makes it significantly harder for anyone to gain unauthorized access, even if they were to guess or acquire your password elsewhere.

3. Scrutinize All SoundCloud-Related Emails: Be extremely cautious of unsolicited messages regarding your account. Look for red flags like urgent requests, grammatical errors, or links that point to unofficial domains. Verify any official communication by logging into your account directly through the SoundCloud website or app.

4. Secure Your Digital Workflow: For artists, this breach poses a risk to your entire online ecosystem. Attackers may use this information to impersonate services like music distributors, promotional platforms, or collaborators. Always verify requests for credentials or payments through a separate, trusted communication channel.