| ▲ | SoundCloud Data Breach Now on HaveIBeenPwned(haveibeenpwned.com) |
| 95 points by gnabgib 4 hours ago | 41 comments |
| |
|
| ▲ | djee 2 hours ago | parent | next [-] |
| "The data involved consisted only of email addresses and information already visible on public SoundCloud profiles". So they've scraped public data. Why care? |
| |
| ▲ | gnabgib 31 minutes ago | parent | next [-] | | Hackers stole information of 29.8M accounts (~20% of users). SoundCloud is downplaying the data beyond email address as "publicly available", but the data wasn't scraped. "Profile statistics" aren't public either. Their main response[0], seems to focus on passwords and payment details being the only risky data. They even imply email addresses are public. > no sensitive data was taken in the incident.The data involved consisted only of email addresses and information already visible on public SoundCloud profiles (not financial or password data) [0]: https://soundcloud.com/playbook-articles/protecting-our-user... | |
| ▲ | forgotaccount3 2 hours ago | parent | prev [-] | | Maybe the two public data points weren't connected before? I don't use SoundCloud, but if profiles didn't have contact information like Email Address on them then it could be meaningful to now connect those two dots. Like, 'Hey look, Person A, who is known to use email address X, kept Lost Prophets as one of their liked artists even after 2013!' | | |
| ▲ | neom 34 minutes ago | parent | next [-] | | Yeah or this: https://news.ycombinator.com/item?id=26386418 SoundCloud is a weird place, people in entertainment have certain strong incentives. They figured out who I am, figured out all the email addresses I have, jacked the account attached to my SoundCloud, stole my account. I still to this day, don't know how they pwned my email (tfa was on but it didn't trigger suspicious activity it let them login without triggering it, no clue how they got the password either and the password is secure enough that it's too hard to brute force, and it's not in a pwned db). Based on what was in my soundcloud inbox when I got access again, someone paid a fair amount to have this done... and now I have to go change my email again I suppose. | |
| ▲ | cj 41 minutes ago | parent | prev | next [-] | | But, why care? (Yes, we can “care” that there was a leak - but… why worry? what new risk exists today that didn’t yesterday?) The data in the leak (other than follower count, etc) was already available for purchase from Zoominfo, 8sense, or a variety of other data brokers or other legal marketplaces for PII. I suppose the risk now is that the data is freely available and no longer behind a data broker’s paywall? | |
| ▲ | refulgentis 43 minutes ago | parent | prev [-] | | You are 100% correct based on article. Not good that you're gray, and your parent of "who cares it was already available and scraped" is the top comment. |
|
|
|
| ▲ | Alifatisk 3 hours ago | parent | prev | next [-] |
| > the impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country |
| |
| ▲ | embedding-shape 2 hours ago | parent | next [-] | | Importantly, 20% of the total userbase it seems: > In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country. That's from the haveibeenpwned email which I received because of course I'm part of that 20%. Remember to have unique passwords for each website kids, ideally with a password manager. | | |
| ▲ | technion an hour ago | parent | next [-] | | Whilst thats important advice, as far as I can tell it wouldnt help here as no passwords are breached. I had a few of our domain users on this report and as far as I can tell theres nothing actionable. | |
| ▲ | pluralmonad an hour ago | parent | prev [-] | | Also, never give out a direct email address, always an alias. |
| |
| ▲ | loganc2342 3 hours ago | parent | prev [-] | | If I’m understanding correctly, it sounds like, aside from the email addresses, all the data leaked was already publicly available on users’ SoundCloud profiles. The only novel aspect is linking that public data to the accounts’ email addresses. | | |
|
|
| ▲ | TechSquidTV an hour ago | parent | prev | next [-] |
| A lot of "rap gods" are about to be exposed as "Kevin" from suburbia. |
| |
| ▲ | giancarlostoro an hour ago | parent | next [-] | | Lil B is probably fine, but he is the biggest name I recall coming out of SoundCloud. He blew up all over the 2010s, he was the Kanye of Cloudrap too because he took dressing styles and changed it all up similar to Kanye. | | |
| ▲ | gnabgib 24 minutes ago | parent | next [-] | | There's a few big names: Post Malone, Billie Eilish, Lil Nas X, Khalid, Bad Bunny | |
| ▲ | sam1r an hour ago | parent | prev [-] | | Shout out to lil b and those parties at Berkeley he would perform at in ‘12, ‘13. Those were the golden sound cloud years. |
| |
| ▲ | EGreg an hour ago | parent | prev [-] | | This Kevin was still quite impressive https://en.wikipedia.org/wiki/Kevin_Mitnick |
|
|
| ▲ | refulgentis 44 minutes ago | parent | prev | next [-] |
| Kinda sad to see a "Recommended Actions", with only sponsors, with ad copy that would be understood by HN readers but not our non-technical friends. (i.e. a simple "Nothing. No passwords have been leaked yet, only metadata" in this case) |
|
| ▲ | throwaway431234 3 hours ago | parent | prev | next [-] |
| SoundCloud is the worst company, so hostile to former paying users! I am a hobbyist songwriter and have posted my rough mixes (Apple's Music Memo app which adds drum and bass automagically with two clicks & then mix it in Garage Band) on my SoundCloud for more then ten years. I signed up for their Artist Pro account and was a member for of such consistently for a few years at $17 a month. Once you cancel they then hold all your music hostage by hiding it and later threat to delete it. Horrid! |
| |
| ▲ | direwolf20 2 hours ago | parent | next [-] | | A former paying user is not a customer. If you don't pay, why should you receive service? I buy a pizza at this pizza shop every week, but I still don't get free ones. SoundCloud is European, so most of the dark patterns used by American companies to offer "free" service are not available to them, and they are required by law to actually delete data instead of pretending to delete it. | | |
| ▲ | Scoundreller an hour ago | parent [-] | | > I buy a pizza at this pizza shop every week, but I still don't get free ones. Do they take the leftovers from your fridge when you stop buying? | | |
| ▲ | direwolf20 31 minutes ago | parent | next [-] | | If I haven't bought pizza for two months, they use their magical ray, reach into my fridge and turn the leftovers into mold. | |
| ▲ | internetter an hour ago | parent | prev [-] | | The analogy was bad. You're effectively renting space in their fridge. In that case, absolutely. |
|
| |
| ▲ | goblin89 3 hours ago | parent | prev | next [-] | | SoundCloud used to be good prior to the redesign. Recently I decided to evaluate it for serious use and start posting there again, only until their new uploader told me I need to switch to a paid plan, even though I triple-checked I was well within free limits and under my old now unused username I uploaded a lot more (mostly of experimental things I am not that proud of anymore). It looks like their microservices architecture is in chaos and some system overrides the limits outlined in the docs with stricter ones. How can I be sure they respect the new limits once I do pay, instead of upselling me the next plan in line? Adding to that things like the general jankiness or the never-ending spam from “get more fake listeners for $$$” accounts (which seem to be in an obvious symbiosis with the platform, boosting the numbers for optics), the last year’s ambiguous change in ToS allowing them to train ML systems on your work, it was enough for me to drop it. Thankfully, it was a trial run and I did not publish any pending releases. If you still publish on SoundCloud, and you do original music (as opposed to publishing, say, DJ sets, where dealing with IP is problematic), ask yourself whether it is timr to grow up and do proper publishing! | |
| ▲ | hombre_fatal 2 hours ago | parent | prev | next [-] | | The difference between Artist vs Pro is three hours vs unlimited uploaded music. So if you had over three hours uploaded, it seems reasonable for them to restrict the service. If you had <= three, then it would a problem. | |
| ▲ | jacquesm 2 hours ago | parent | prev | next [-] | | You mean you never kept your originals but just uploaded and deleted the masters? | |
| ▲ | PunchyHamster 2 hours ago | parent | prev | next [-] | | that just sounds like customer not paying for service not getting the service | | |
| ▲ | bestham 2 hours ago | parent | next [-] | | The service is freemium, so they had a limited account. Decided to pay for a premium account. And apparently can’t downgrade and get back what they once had. | |
| ▲ | throwaway431234 2 hours ago | parent | prev [-] | | They first hide your songs and as time goes on they start threaten to delete your songs if you dont pay | | |
| ▲ | colordrops 2 hours ago | parent [-] | | What should they do instead? spend money continuously holding your music on disk forever even though you aren't paying them for the service? Sounds like they are being cool about it by keeping it around for a while and warning you before deleting it. | | |
| ▲ | goblin89 7 minutes ago | parent [-] | | The marketing move of offering an unlimited plan reveals that storage and traffic are not that expensive and someone made a choice that light users will subsidize heavy users. With that, hiding your data from you and subsequently deleting it, at least without first encouraging you to download it within some post-downgrade grace period, would be a choice, not necessity, and is user-hostile. |
|
|
| |
| ▲ | crazybonkersai 3 hours ago | parent | prev | next [-] | | You can export your entire profile using yt-dlp. Of course you have to do it, when you are still a paying customer. | | |
| ▲ | dylan604 2 hours ago | parent [-] | | Why would someone that writes their own songs, mixes in GarageBand, uploads to a 3rd party website need to use yt-dlp to get back the files that they themselves made? Yes, I'm intentionally victim blaming here. The victim is complaining about a 3rd party site deleting files. Who cares? Why would you have as your only source of your files the copies stored by the 3rd party? | | |
| ▲ | crazybonkersai a minute ago | parent | next [-] | | You get a point there, but export is mostly about metadata, eg images and description. Data loss happens too. Soundcloud may be your only source of your own tracks. | |
| ▲ | direwolf20 2 hours ago | parent | prev [-] | | Not only that, the victim is complaining about a paid file storage company deleting the files when the victim stops paying |
|
| |
| ▲ | gmueckl 3 hours ago | parent | prev [-] | | Are there any alternatives? | | |
| ▲ | dewey 2 hours ago | parent [-] | | Isn't everyone on YouTube or Bandcamp now for this use case? | | |
| ▲ | alexalx666 2 hours ago | parent [-] | | YouTube is the domain of Satan, also the name is hilarious - you tube? really? I don't tube thaanks |
|
|
|
|
| ▲ | WhereIsTheTruth 43 minutes ago | parent | prev | next [-] |
| By aggregating breach data by email, this tool inadvertently exposes users's full web history, including sensitive sites like crypto/adult/dating platforms, to anyone who knows their address Fun |
| |
| ▲ | rocky_raccoon 4 minutes ago | parent [-] | | From the FAQ [1]: What is a "sensitive breach"? HIBP enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone's presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as "sensitive" and may not be publicly searched. A sensitive data breach can only be searched by the verified owner of the email address being searched for. This is done by signing in to the dashboard which involves verifying you can receive an email to the entered address. Once signed in, all breaches (including sensitive ones) are visible in the "Breaches" section under "Personal". There are presently 82 sensitive breaches in the system including Adult FriendFinder (2015), Adult FriendFinder (2016), Adult-FanFiction.Org, Ashley Madison, Beautiful People, Bestialitysextaboo, Brazzers, BudTrader, Carding Mafia (December 2021), Carding Mafia (March 2021), Catwatchful, CityJerks, Cocospy, Color Dating, CrimeAgency vBulletin Hacks, CTARS, CyberServe, Date Hot Brunettes, DC Health Link, Doxbin and 62 more. [1] https://haveibeenpwned.com/FAQs#SensitiveBreach |
|
|
| ▲ | paulpauper an hour ago | parent | prev [-] |
| all this leaked data pretty much used for one objective now: stealing crypto |
