SoundCloud has confirmed that recent service outages and VPN access disruptions were caused by a security breach that exposed a portion of its user database, including email addresses and profile information. The disclosure comes after days of user complaints reporting “403 forbidden” errors when attempting to access the platform through virtual private networks.
The audio streaming company acknowledged that threat actors gained unauthorized access to one of its internal systems, prompting an incident response that included security containment measures, some of which unintentionally disrupted VPN connectivity.
In a statement, SoundCloud said it recently detected unauthorized activity involving an ancillary service dashboard and immediately activated its internal incident response procedures.
We understand that a purported threat actor group accessed certain limited data that we hold,” the company said, adding that its investigation has now been completed.
According to SoundCloud, the breach was limited in scope and did not involve sensitive data such as passwords, financial information, or authentication credentials. The exposed data consisted only of users’ email addresses and information already visible on public SoundCloud profiles.
Up to 20% of Users Potentially Impacted
Despite SoundCloud’s assurances, the scale of the incident appears significant. Sources familiar with the matter said that approximately 20% of SoundCloud’s user base was affected by the breach. Based on publicly reported figures, this could translate to roughly 28 million user accounts.
SoundCloud has not independently confirmed the exact number of impacted users but said it is confident that all unauthorized access has now been blocked and that there is no ongoing risk to its systems.
As part of its containment efforts, SoundCloud implemented configuration changes designed to protect its infrastructure. However, these changes resulted in widespread VPN access disruptions, preventing users from connecting to the platform while using VPN services.
The company acknowledged the issue but has not provided a clear timeline for when VPN access will be fully restored. The lack of clarity has drawn criticism from privacy-conscious users who rely on VPNs for secure browsing.
Following the breach disclosure and mitigation steps, SoundCloud also experienced denial-of-service attacks that temporarily affected the availability of its web platform. The company did not attribute these attacks to the same threat actor but confirmed they were addressed as part of its broader security response.
SoundCloud said it is working with third-party cybersecurity experts to strengthen its defenses. Measures taken include enhanced monitoring and threat detection, a review of identity and access controls, and a wider assessment of related systems to prevent further compromise.
ShinyHunters Gang Allegedly Behind the Breach
While SoundCloud has not officially named the group responsible, BleepingComputer reported receiving information suggesting that the ShinyHunters extortion gang was behind the attack. According to the report, the group is allegedly attempting to extort SoundCloud after stealing a database containing user information.
ShinyHunters is a well-known cybercrime group linked to several high-profile data breaches in recent years. The same group has also been implicated in a separate breach involving PornHub, reported earlier the same day.
SoundCloud has declined to comment on the identity of the attackers or on any extortion demands.
What This Means for Users
Although SoundCloud maintains that no passwords or financial data were compromised, the exposure of email addresses still raises concerns about phishing and targeted scams. Cybersecurity experts typically warn that even limited data leaks can be exploited in follow-up attacks, particularly when combined with information from other breaches.
Users are advised to remain cautious of unsolicited emails, avoid clicking on suspicious links, and ensure that their SoundCloud-associated email accounts are protected with strong passwords and multi-factor authentication.