Summary: A significant security incident has hit SoundCloud, exposing the personal details of nearly 30 million unique accounts. The breach, which originated from an “unauthorized mapping and data enumeration” attack on its API, includes email addresses, full names, and profile metadata. The data was indexed by breach notification services today, January 28.
Business Impact: High risk of credential stuffing and spear-phishing. For corporate environments, this leak provides a map of employee email addresses and social identifiers that can be used to craft convincing social engineering attacks against your internal staff.
Why It Happened: Threat actors exploited a lack of rate-limiting and robust authentication on a legacy API endpoint, allowing them to systematically scrape the user database over several months.
Recommended Executive Action: Remind staff that personal account breaches often lead to corporate phishing. Mandate a change of any passwords that were shared between SoundCloud and corporate accounts (though this practice should already be banned via policy).
Hashtags: #SoundCloud #DataBreach #APIsecurity #Infosec #CredentialLeak #Privacy