SoundCloud Data Breach: 29.8M Accounts on HIBP

The SoundCloud data breach just got a lot more real for everyday users, because it is now searchable. Have I Been Pwned (HIBP) has verified and indexed a dataset tied to SoundCloud that impacts 29.8 million accounts, which means you can type in your email and instantly see if you are in it. BleepingComputer reports the listing covers 29.8M accounts, roughly 30M unique email addresses.

Why you should care, even if you never reused a password: this is not primarily a password theft story. It is an identity linkage story. When your email is paired with a creator profile at massive scale, it becomes easier to target you with believable phishing, impersonation, and harassment.

What happened (and what SoundCloud says was exposed)

SoundCloud has described the incident as unauthorized activity connected to an “ancillary service dashboard”, and it has repeatedly been framed as a limited data exposure, not a full account database dump. Coverage summarizing SoundCloud’s notice also says there is no indication of passwords or financial data being exposed, and that the incident affected about 20% of users. PCMag reported that SoundCloud characterized the stolen information as limited, and pegged the impact at around one fifth of its user base. Heise also reports that the exposure was described as limited, with no passwords or financial data indicated in coverage.

That “20%” detail matters. SoundCloud is huge, so even a partial slice is still millions of real people, plus a ton of creators whose accounts double as public-facing brands.

A key point about why this is in the news now: HIBP indexing is what makes the dataset practical for attackers and for you. Once a breach is verified and added to HIBP, it becomes searchable by email, so anyone can quickly confirm whether a specific address appears in the exposed data. That said, a positive result in HIBP does not automatically mean your SoundCloud account was taken over, it means your email address (and potentially associated profile data) was present in the dataset HIBP ingested.

What is not confirmed in the public reporting: an exact technical root cause, a precise start-to-end window for the access, or whether tokens, OAuth connections, or private messages were included. The consistent throughline across higher-credibility coverage is still the key point: limited profile-related data, at a very large scale, with no passwords or payment data called out.

What data may be in the leak, and why “limited” still matters

Here is what shows up most consistently in reporting about the dataset: email addresses paired with profile attributes. That can include things like names, usernames, avatars, follower and following counts, and sometimes country or location. The key security twist is not that your follower count is secret. It is that your email address is now easier to connect to a specific SoundCloud identity in bulk.

• Email to creator mapping: attackers can send “account support” emails that reference your exact handle, display name, or profile image, which boosts believability.
• Impersonation and brand abuse: DJs, labels, and artists are attractive targets because a hijacked or spoofed identity can be used to scam fans, collaborators, and promoters.
• Doxxing and harassment risk: if your SoundCloud persona is supposed to be semi-anonymous, connecting it to an email that appears in other breaches or data brokers can help attackers triangulate more personal details.

This is also where the “mostly public data” argument falls apart. Public profile fields are one thing. Public profile fields bundled with emails at nearly 30 million scale is what attackers pay for, because it saves them time and makes targeting cheap.

How to check if you’re affected (and what to do next)

You can check in about 10 seconds.

• Go to Have I Been Pwned.
• Enter the email address you use for SoundCloud.
• If you see SoundCloud in the results, that email appears in the dataset HIBP indexed. If you do not, it means HIBP has not found that email in the SoundCloud dataset it ingested.

If you are affected, treat it like an exposure that raises your odds of being targeted, not proof your SoundCloud was taken over.

• Change your SoundCloud password anyway, especially if you have ever reused it anywhere else. Even though passwords are not reported as exposed here, credential reuse is how “limited data” incidents turn into real compromises later.
• Turn on the strongest login protection available for your account, and for the email inbox tied to SoundCloud. If someone gets into your email, they can reset a lot more than just SoundCloud.
• Watch for creator-targeted phishing: messages that mention your handle, tracks, follower count, or “copyright claim” style pressure tactics are the ones to be suspicious of.
• Review connected apps and sessions: anything linked for uploads, analytics, or promotion is an extra surface area. Remove what you do not recognize.
• Re-check your public profile settings: limit contact details, external links, or anything that makes it easier to connect your music persona to your real identity.
• Lock down your email account: review mailbox rules and forwarding settings for anything you did not create, since attackers who gain access to email often hide evidence and intercept password reset messages.

What not to assume: this dataset alone does not confirm someone can log in to your account. Reporting around the incident has not claimed password theft or financial data exposure. The immediate risk is targeted social engineering and impersonation.

The bottom line: HIBP indexing turns the SoundCloud data breach from a vague headline into a simple yes-or-no check. Do the lookup, tighten your account hygiene, and treat unexpected emails and DMs as higher-risk if they reference your SoundCloud identity.