SoundCloud has officially confirmed that recent service disruptions and widespread VPN access issues were the result of a cybersecurity breach that led to the unauthorized access and theft of user data. The incident involved the exposure of a database containing email addresses and publicly visible profile information, prompting the company to activate its incident response procedures.
VPN Access Issues and Service Outages Explained
Over the past several days, numerous users reported being unable to access SoundCloud while connected through VPN services. These attempts frequently resulted in HTTP 403 “Forbidden” errors, indicating access blocks at the network or application layer.
SoundCloud later confirmed that these access issues were not accidental outages but were linked to security countermeasures deployed during the incident response. A configuration change intended to protect backend systems temporarily disrupted VPN-based connectivity. As of now, the company has not provided a specific timeline for restoring full VPN access.
Breach Origin: Unauthorized Access via Ancillary Service Dashboard
In a statement shared with BleepingComputer, SoundCloud disclosed that it detected unauthorized activity involving an ancillary service dashboard, rather than its core streaming infrastructure. Upon detection, the company initiated containment and investigation protocols.
According to SoundCloud, the scope of the breach was limited:
-
No financial data accessed
-
No passwords or authentication credentials compromised
-
No private messages or unpublished content exposed
The compromised data consisted solely of email addresses and information already visible on public SoundCloud profiles, reducing — but not eliminating — the potential for downstream abuse such as phishing or credential-stuffing campaigns.
Scale of Impact: Millions of Accounts Potentially Affected
Independent reporting indicates that approximately 20% of SoundCloud’s user base may have been impacted. Based on publicly available user metrics, this could translate to roughly 28 million accounts exposed.
While the data itself is not considered highly sensitive, its aggregation in a single dataset significantly increases its value to cybercriminals, particularly for targeted social engineering and extortion operations.
Security Response and Infrastructure Hardening
SoundCloud stated that it has fully blocked all known unauthorized access paths and believes there is no ongoing risk to its systems. In collaboration with third-party cybersecurity specialists, the company implemented additional safeguards, including:
-
Enhanced security monitoring and threat detection
-
Comprehensive review of identity and access management (IAM) controls
-
Broader security assessments of related systems and services
These actions align with current cybersecurity best practices for breach containment and post-incident hardening, particularly for large-scale consumer platforms.
Secondary Attacks and Platform Availability Issues
Following the breach response, SoundCloud experienced denial-of-service (DoS) attacks that temporarily affected website availability. While the company has not explicitly linked these attacks to the data breach, such follow-on activity is a common tactic used by threat actors to apply additional pressure during extortion attempts.
Alleged Involvement of ShinyHunters Extortion Group
Although SoundCloud has not publicly attributed the breach to a specific threat actor, BleepingComputer received credible intelligence indicating that the ShinyHunters extortion group may be responsible.
According to the source, ShinyHunters allegedly exfiltrated the user database and is now attempting to extort SoundCloud. The same group has also been linked to a recent PornHub data breach, reinforcing a broader pattern of attacks against high-visibility consumer platforms.
Ongoing Investigation and Public Disclosure
After initial reporting, SoundCloud published an official security notice confirming the breach and summarizing its findings. The investigation remains ongoing, and additional technical details — such as indicators of compromise (IOCs) or exact intrusion vectors — have not yet been disclosed.
As more information becomes available, further updates are expected, particularly regarding VPN access restoration, attribution confirmation, and any additional mitigation steps users may need to take.