SoundCloud Data Breach Impacts 29.8 Million Accounts

A data breach at SoundCloud exposed information tied to 29.8 million user accounts, according to Have I Been Pwned. While SoundCloud says no passwords or financial data were accessed, attackers mapped email addresses to public profile data and later attempted extortion. BleepingComputer reports: The company confirmed the breach on December 15, following widespread reports from users who were unable to access SoundCloud and saw 403 "Forbidden" errors when connecting via VPN. SoundCloud told BleepingComputer at the time that it had activated its incident response procedures after detecting unauthorized activity involving an ancillary service dashboard. "We understand that a purported threat actor group accessed certain limited data that we hold," SoundCloud said. "We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed. The data involved consisted only of email addresses and information already visible on public SoundCloud profiles."

While SoundCloud didn't provide further details regarding the incident, BleepingComputer learned that the breach affected 20% of all SoundCloud users, roughly 28 million accounts based on publicly reported user figures (SoundCloud later published a security notice confirming the information provided by BleepingComputer's sources). After the breach, BleepingComputer also learned that the ShinyHunters extortion gang was responsible for the attack, with sources saying that the threat group was also attempting to extort SoundCloud. This was confirmed by SoundCloud in a January 15 update, which said the threat actors had "made demands and deployed email flooding tactics to harass users, employees, and partners."

Rumor is they're now renaming to

[Tablizer]

"SoundOnPremise"

I never understand this

[RitchCraft]

"no passwords or financial data were accessed" - You see this all the time. A breach happens and companies almost always claim that no passwords of financial data were accessed. Why is that? Is the security on that information better? If so, then why the hell is that same security not used overall? This makes absolutely no sense.

Re:

[sound+vision]

They would have legal or contractual obligations around storing the credit card information. Probably no such obligations for the other data.

Soundcloud also makes all kind of user data available to advertisers (as usual) but also to the record industry ecosystem of labels, distributors, promoters, etc. They provide dashboards for those guys, so that API is likely where the data leaked from. Especially since they're saying "partners" were harassed.

Re:

[RitchCraft]

Yeah that makes sense, unfortunately. I guess The way to handle this is to create a fake account (fake name, address, burner email, etc..) and never let a web site store your credit card info but instead supply that information (with correct name and address) each time you purchase something.

Re:

[mudimba]

I would imagine it is because the passwords were stored as one-way hashes, and they use a 3rd party payment processor for financial transactions.

Re:

[dbialac]

I think to a great degree we've reached or surpassed a critical mass, where so much data is out there that it's of little value for extortion, unless you do something stupid with your data. The Equifax breach exposed hundreds of millions of records.

Re:

[tlhIngan]

"no passwords or financial data were accessed" - You see this all the time. A breach happens and companies almost always claim that no passwords of financial data were accessed. Why is that? Is the security on that information better? If so, then why the hell is that same security not used overall? This makes absolutely no sense.

Well, it can be they don't store financial information. If you charge a credit card, you can get a token to use to charge the card repeatedly without having to store the actual card