- The popular music platform, SoundCloud, suffers a serious data breach carried out by a cybercriminal organization known as “ShinyHunters.”
- The platform has acknowledged the attack and indicated it affected about 29.9 million users’ accounts.
- The volume of the impact has raised more concerns regarding the increasing trend in cyberattacks and potential ways for users to remain safe in the digital space.
The digital landscape records another major data breach as Have I Been Pwned, a data notification service, reports an attack on SoundCloud, an online music platform. According to the report, hackers exfiltrated personal and contact details of SoundCloud accounts, affecting about 29.8 million users.
This week, SoundCloud has confirmed the exposure of personal details of millions of accounts, representing approximately one-fifth of all accounts. As a result, there is concern about the lack of safety and security in communicating and identifying oneself online.
SoundCloud first suspected a hack when users, particularly those accessing the service via VPN or other proxies, began encountering ‘403 Forbidden’ errors. This triggered an investigation by SoundCloud’s security team and ultimately led to publicly disclosure of the breach.
Launched in 2007, SoundCloud has risen to the top and hosts over 400 million songs from about 40 million creators and artists. Also, the platform serves as a major advertising support for several musicians, podcasters, and consumers.
What Hackers Took and What They Didn’t
Data breach tracker Have I Been Pwned reports that hackers accessed personal information from roughly 29.8 million accounts. This included:
- Email addresses
- Usernames and display names
- Profile photos and avatars
- Follower and following counts
- Some users’ geographic locations
SoundCloud confirmed that attackers did not access passwords or financial information, including credit cards, during the breach. This means users’ payment details and login passwords appear to remain safe. Connecting email addresses to the names shown on the profiles of users offers criminals very useful information.
Cybersecurity professionals assert that this information will assist criminals in developing real looking scam emails or fake social networks to deceive individuals into providing further personal information or clicking on malicious links. The FTC warns that email leaks such as these enhance the effectiveness and danger of various types of phishing crimes.
The misuse of stolen personal data can escalate far beyond spam, as seen in cases where hackers have specifically targeted and exploited private photos, leading to severe trauma for victims and resulting in substantial prison sentences for the perpetrators.
Hackers Associated with the SoundCloud Violation and Increased User Danger
Security researchers linked the breach at SoundCloud to a well-known group of hackers called the “ShinyHunters,” who have also committed many other high-profile breaches of data and attempted extortion.
After stealing users’ account information, the hackers are trying to extort SoundCloud for monetary remuneration as well as email flooding to SoundCloud’s customers, employees, and partners. This means that they are utilizing spam methods to overwhelm email accounts with excessive amounts of email, thereby placing added pressure on the company.
Along with acknowledging the threats, SoundCloud’s security team, working with outside experts, is reviewing the incident to determine whether hackers actually took data or plan to release more.
Experts state that this method of extortion attempts has been happening more frequently. Hackers often steal large batches of user data not just to use it themselves, but to try to enforce ransom demands by threatening companies with public leaks or harassment campaigns.
This incident shows that even seemingly harmless information, like your public profile, can be exploited by bad actors to cause harm. If they snag email addresses and names together, they can send out super convincing fake emails that trick people.
What Users Should Do Now
SoundCloud has not yet said when it will release more information or whether further protective measures are coming. Below are some steps that all users can take as a result of this breach:
- Check if your email was compromised: services like Have I Been Pwned let users see if their email appears in known leaks, a smart first step after any major data breach.
- Activate two-factor authentication (2FA) on your account: Using 2FA will add an extra layer of security to your account. Even if an attacker guesses or obtains your passwords or PINs, they cannot access your account without the second authentication code sent to your mobile device or generated by special software.
- Stay alert for scam emails: If you receive an unsolicited email that contains a link or an attachment purporting to be from SoundCloud, do not click on the link or download the attachment, go directly to the SoundCloud website. Your computer will be a better place to go to access SoundCloud.
- Update your passwords and email security: Even though no email leak occurred, changing your password, using a strong one, and enabling 2FA will lower the risk of attackers accessing other accounts linked to your email.
The new breach of SoundCloud is an incredibly significant occurrence in the music and creator industry. Though the exposed data does not contain highly sensitive personal information such as credit card information, making your personal profile information and email available to the public is still impactful. Cybercriminals and scammers often use previously leaked data to launch further attacks.
As online services continue to expand, it is important for online users to take their own security seriously, as the importance of having good security practices has never been greater.
