SoundCloud has disclosed a data breach that affected about one-fifth of its user base after unauthorised access was detected on an internal service dashboard. The audio streaming platform said the incident was identified through internal monitoring systems and investigated with support from external cybersecurity specialists. SoundCloud stated that the activity has been contained and that there is no evidence of ongoing unauthorised access.
According to the company, the data accessed during the breach was limited to email addresses and information already visible on public user profiles. SoundCloud said that passwords, payment details, and private messages were not exposed. While the company did not provide an exact number of affected accounts, one-fifth of its global user base represents millions of users worldwide.
SoundCloud reported that the breach was followed by additional disruption to its services. The platform experienced distributed denial of service attacks that temporarily affected availability. Some users also reported difficulties accessing SoundCloud while using virtual private networks. The company said these issues were linked to security changes introduced as part of its response and that work is ongoing to restore normal access for all users.
The company said it has completed its investigation and implemented measures to strengthen its security posture. These steps included reviewing identity and access controls, enhancing monitoring and detection capabilities, and conducting audits of affected systems. SoundCloud acknowledged that some defensive actions may have caused short-term connectivity problems, but said they were necessary to secure the platform.
Although the exposed information was limited, security specialists warn that email addresses combined with public profile data can still present risks. Such information may be used to support phishing campaigns or other social engineering activities. Attackers often use breached email lists to craft messages that appear credible, increasing the likelihood that recipients engage with malicious content.
SoundCloud advised users to remain cautious about unexpected emails or messages claiming to be related to the platform. The company recommended standard security practices such as avoiding suspicious links and verifying the source of communications. It said there is no requirement for users to reset passwords as a result of the incident.
The disclosure highlights the challenges faced by large online platforms that manage vast volumes of user data. Even when sensitive information is not involved, breaches affecting a significant portion of users can have wider implications for trust and security. SoundCloud said it will continue to review its systems and apply further improvements to reduce the risk of similar incidents in the future.