The breach affected approximately 29.8 million accounts – approximately 20% of SoundCloud’s entire user base. The data was first leaked online in January 2026 after ShinyHunters attempted to extort the company.
A lawsuit filed in the United States District Court for the Southern District of New York (Case no. 1:26-cv-00980, Merkel v SoundCloud Inc.) claims that SoundCloud “recklessly failed to implement standard cybersecurity measures” and “negligently maintained users’ PII.” SoundCloud has not yet publicly responded to the lawsuit’s allegations.
What data has been exposed?
✗ Data exposed in violation
- Email addresses
- Usernames and display names
- Profile avatars
- Follower and following counts
- Country of origin/geographical location
- Profile statistics
✓ Data NOT exposed
- Passwords
- Financial data or payment information
- Private messages
- Private audio content
- Social Security Numbers
The breach occurred via unauthorized access to an internal service dashboard, according to Fox News reporting. This method allowed attackers to link hidden email addresses to publicly available profile data – a technique designed to build detailed profiles of users for phishing or spam campaigns.
Why exposed email addresses still matter: Even without passwords, your email address + username + location profile being in criminal hands poses a real risk. It enables targeted phishing attacks (“Your SoundCloud account has been hacked – click here”), credential stuffing against other accounts using password reuse, and spam related to your specific musical interests and location.
How to check if you are affected
- Check HaveIBeenPwned.com: Go to haveibeenpwned.com and enter your email address. The SoundCloud breach has been indexed. If you see this in your results, your data has been made public.
- Look out for unusual emails: Be wary if you receive an email claiming to be from SoundCloud asking you to verify your account, reset a password, or take action on a “suspicious login.” These are likely phishing attempts using your exposed data.
- Check your inbox for a SoundCloud breach notification: SoundCloud was expected to notify affected users. Please check your spam folder if you have not received one.
What the lawsuit claims
The class action filed on behalf of Alexander Merkel, a California resident, alleges that SoundCloud breached multiple legal duties to protect user data. According to the complaint, the company:
- Failed to implement adequate cybersecurity measures despite hackers like ShinyHunters actively targeting user databases
- Maintaining users’ personal information in a negligent manner
- Failed to comply with FTC guidelines and industry standard security practices
- Did not take reasonable steps to prevent unauthorized access to the internal dashboard
The lawsuit seeks class-wide damages for negligence, breach of implied contract and unjust enrichment. The class is defined as anyone whose personal information was compromised in the breach – potentially all 29.8 million affected accounts.
ShinyHunters pattern: This isn’t SoundCloud’s first exposure to this group. ShinyHunters was behind it numerous high-profile data breaches focused on online platforms. Their standard scenario is to steal data, demand a ransom, and then leak it publicly if companies don’t pay up. SoundCloud apparently didn’t pay – and in January 2026, the data of 29.8 million users was exposed online.
What to do now
- Change your SoundCloud password immediately – even though passwords are not made public, it is good practice after any breach. Use a unique password that you don’t use anywhere else.
- Check your other accounts for password reuse – if you’ve been using the same password with SoundCloud as elsewhere, change those accounts now. Password reuse is how most account takeovers occur after data breaches.
- Enable two-factor authentication (2FA). on SoundCloud and all accounts where it is available. Even if attackers have your password, 2FA blocks access.
- Be extra vigilant about phishing emails – any email that references your SoundCloud account, especially emails asking you to ‘verify’, ‘confirm’ or ‘click here’ is considered suspicious. Instead of clicking email links, go directly to soundcloud.com.
- Check your email for suspicious activity — your email address is now in criminal hands. Set up alerts on your primary email account for unusual logins.
- Keep an eye out for class action announcements — if you had a SoundCloud account before the breach, you may be eligible to participate in the class. Class action notices are generally sent to registered email addresses. If a settlement is reached, you may receive a claim notice.
Data breaches often lead to identity theft or fraudulent debt collection attempts. If unexpected collection notices appear after this breach, check Find Your Path to understand your options – and never pay a collection agency without first verifying that the debt is real and legitimate.
29.8 millionAccounts exposed
~20%of SoundCloud’s user base
January 2026Data leaked online
Key Takeaways
- December 2025 breach by ShinyHunters exposed 29.8 million SoundCloud accounts
- Exposed data: emails, usernames, display names, location, profile statistics – no passwords or financial data
- On February 4, 2026, a class action lawsuit (Merkel v. SoundCloud Inc.) was filed with the SDNY
- Check HaveIBeenPwned.com to see if your account has been listed
- Change your password, enable 2FA, and keep an eye out for phishing emails that use your disclosed credentials
Frequently asked questions
Was my SoundCloud password exposed during the breach?
No. According to available information about the SoundCloud breach, passwords, financial data and private content have not been made public. The compromised data was limited to publicly linked profile information, including email addresses, usernames, display names, location data, and profile statistics. That said, you should still change your SoundCloud password as a precaution, and especially if you’ve reused that password on other accounts.
How do I know if my SoundCloud account was part of the breach?
Visit HaveIBeenPwned.com and enter the email address associated with your SoundCloud account. The site indexes data breach databases and will tell you if your email appeared in the SoundCloud breach. You can also set up free alerts to be notified of future breaches involving your email address.
Who is ShinyHunters and why should I worry?
ShinyHunters is a prolific hacker group known for stealing and selling or leaking large databases from online platforms. They have been linked to dozens of major data breaches. Their typical method is to steal data, extort the company and make the data public if demands are not met. Once released, the data circulates among criminal networks and is used for years for phishing, identity theft, credential stuffing, and targeted spam.
How can I join the SoundCloud data breach class action lawsuit?
The class action (Merkel v. SoundCloud Inc., Case No. 1:26-cv-00980, SDNY) was just filed in February 2026 and has not yet reached the settlement or claims stage. You do not need to take any action now to preserve your rights; anyone whose data was compromised would automatically be part of the class. Keep an eye out for future communications via your SoundCloud associated email address. If a settlement is reached, you will receive information on how to file a claim.
What should I do if I receive suspicious emails or phone calls after this breach?
Treat any unexpected contacts pointing to your SoundCloud account as a potential phishing attempt. Never click on links in such emails; go directly to SoundCloud.com. If you get calls from collection agencies or financial companies you don’t recognize, check the debt before paying anything. Data breaches are often followed by waves of fraudulent collection attempts targeting the exposed individuals. If you believe you are being contacted fraudulently, you can file a complaint with the FTC at reportfraud.ftc.gov.
Sources: Top Class Actions – SoundCloud Data Breach Lawsuit | Fox News – SoundCloud Data Breach | Am I Pwned – SoundCloud Breach
#SoundCloud #Data #Breach #Email #Profile #Among #Million #Exposed