Corporate Misconduct Accountability Project ยท Class Action Watch
SoundCloud ยท Data Breach ยท Class Action
SoundCloud Left 29.8 Million Users Exposed and Said Nothing
A hacker stole the personal data of nearly 30 million SoundCloud users in December 2025. The company issued no notification, offered no protection, and left users at permanent risk of identity theft and fraud.
TL;DR
In December 2025, a hacker known as “ShinyHunters” broke into SoundCloud’s servers and stole the personal data of approximately 29.8 million users, including names, email addresses, geographic locations, usernames, and profile metadata. SoundCloud has issued no notification to affected users, offered no identity theft protection, and provided no meaningful explanation of what was taken or how it happened. Worse, this appears to be the company’s second major breach in less than two years, meaning SoundCloud had already been warned and still failed to fix its systems. Nearly 30 million people now face a lifetime risk of identity theft, phishing, fraud, and impersonation because a company they trusted refused to spend what it would cost to protect them.
This is not a data incident. This is a betrayal. Demand accountability now.
29.8M
User accounts compromised in the breach
20%
Of SoundCloud’s total user base exposed
28%
Of data breach victims become identity fraud targets
200hrs
Average time consumers spend recovering from identity theft (FTC)
$200
Max dark web price per stolen personal record
$5M+
Class action aggregate damages threshold
The Breakdown
Core Allegations: What SoundCloud Did
Negligence, contract breach, unjust enrichment ยท 8 points
โพ
| 01 | In December 2025, a hacker using the moniker “ShinyHunters” breached SoundCloud’s servers and stole personal data from approximately 29.8 million user accounts, including names, email addresses, geographic locations, usernames, and profile metadata. | high |
| 02 | SoundCloud issued no notification to affected users, no disclosure to regulatory authorities, and provided no explanation of the scope, nature, or potential consequences of the breach. | high |
| 03 | The breach is alleged to be SoundCloud’s second major cyberattack in less than two years, meaning the company had prior warning and still failed to implement adequate protections. | high |
| 04 | SoundCloud maintained user data on servers vulnerable to cyberattack, failed to implement industry-standard encryption and access controls, and failed to monitor outgoing traffic for signs of exfiltration. | high |
| 05 | Approximately 20% of SoundCloud’s entire user base had their private information compromised, according to SoundCloud’s own disclosure in its “Protecting Our Users” article. | high |
| 06 | SoundCloud has not offered identity theft monitoring or protection services to any affected user, despite the foreseeable and long-lasting risk of fraud, phishing, and impersonation that follows a breach of this scale. | high |
| 07 | The company intentionally, willfully, recklessly, or negligently failed to implement adequate measures to safeguard user data, failed to prevent unauthorized disclosure, and failed to follow applicable encryption protocols, even for internal use. | high |
| 08 | Plaintiff and class members are now at a significantly increased, certainly impending risk of fraud, identity theft, and privacy intrusion, risks that may persist for the rest of their lives because the stolen data was specifically targeted. | high |
Regulatory Failures: FTC Guidelines Ignored
How oversight was undermined ยท 6 points
โพ
| 01 | The FTC Act prohibits unfair or deceptive acts in commerce. The FTC has explicitly concluded that failing to maintain reasonable data security for consumers’ sensitive personal information is an “unfair practice” under the Act, a standard SoundCloud is alleged to have violated. | high |
| 02 | SoundCloud failed to identify and assess vulnerabilities in its network connections, failed to disable unnecessary network services, and failed to use a border firewall, all of which are basic FTC-recommended security practices. | high |
| 03 | The FTC directs companies to use intrusion detection systems to identify breaches immediately and to maintain an immediate response plan. SoundCloud appears to have had neither, given that no notification was issued to users following the incident. | high |
| 04 | SoundCloud failed to monitor outgoing traffic for signs of data exfiltration, a practice the FTC explicitly recommends so companies can detect “unexpectedly large amounts of data being transmitted to an unknown user.” | med |
| 05 | SoundCloud was aware of its obligations under the FTC Act and aware of the significant repercussions of failure, yet continued to store user PII without implementing the required safeguards. | high |
| 06 | SoundCloud’s violation of FTC guidelines constitutes negligence per se under the complaint, meaning the company’s own failure to meet established legal standards is itself evidence of wrongdoing. | high |
Profit Over People: Security Costs Diverted
How cost-cutting enabled the breach ยท 4 points
โพ
| 01 | The complaint alleges SoundCloud “calculated to increase its own profit at the expense of Plaintiff and Class Members by utilizing cheap, ineffective security measures and diverting those funds to its own personal use.” | high |
| 02 | User fees paid to SoundCloud included a premium for cybersecurity obligations. The company accepted that premium but failed to deliver the security it was paid to provide. | high |
| 03 | SoundCloud profited from retaining and using user data for business purposes while simultaneously refusing to invest in the security infrastructure necessary to protect that data. | high |
| 04 | The complaint notes that user PII “remains unencrypted and available for unauthorized third parties to access and abuse,” suggesting SoundCloud still has not taken corrective action even after the breach was publicly disclosed. | high |
Economic Fallout: The Real Cost to Real People
Financial harm to 29.8 million users ยท 7 points
โพ
| 01 | Stolen personal records sell for $40 to $200 on dark web markets. “Fullz” packages, which bundle identity details for fraudulent use, are also available, meaning the 29.8 million stolen SoundCloud records have immediate commercial value to criminals. | high |
| 02 | 28% of individuals affected by a data breach become victims of identity fraud, compared to just 3% of the general population. For SoundCloud’s 29.8 million affected users, that translates to a projected 8.3 million potential fraud victims. | high |
| 03 | The FTC estimates that recovering from identity theft takes an average of 200 hours of work over approximately six months per victim, a massive, uncompensated burden placed entirely on users by SoundCloud’s negligence. | high |
| 04 | Stolen data may be held for up to a year or more before being weaponized, and once sold on the dark web, fraudulent use can continue for years, meaning affected users face a financial threat that may outlast any legal remedy. | high |
| 05 | Affected users face out-of-pocket costs for identity theft protection services, credit monitoring, fraud alert placement, and time spent resolving downstream fraud, all expenses that SoundCloud caused but has not agreed to cover. | med |
| 06 | The value of exposed personal data diminishes permanently once stolen. Users who entrusted SoundCloud with their information now hold data that has lost market value, a form of intangible property damage the complaint explicitly identifies. | med |
| 07 | The aggregate claims of all class members exceed $5 million, the threshold for federal class action jurisdiction, indicating the scale of economic harm at stake across the affected user base. | med |
Privacy and Safety Violations: The Human Impact
Emotional harm, privacy loss, ongoing vulnerability ยท 5 points
โพ
| 01 | Affected users now face “high-precision phishing campaigns” weaponized by their own profile data. Criminals who know a target’s email, username, and geographic location can craft convincing impersonation attacks across multiple platforms. | high |
| 02 | Plaintiff and class members have suffered and will continue to suffer emotional distress, anxiety, and loss of privacy as a direct result of the breach, harms that are real, ongoing, and recognized as compensable injuries under the complaint. | med |
| 03 | SoundCloud users with public-facing profiles are now at increased risk of impersonation and social engineering attacks, precisely because the stolen data intersects with publicly visible profile information, making targeted deception easier. | high |
| 04 | Compromised email addresses can be tested across other platforms by attackers to identify reused passwords. For SoundCloud users who reuse credentials, the breach creates a vector of attack far beyond the platform itself. | high |
| 05 | Plaintiff and class members remain at continued risk because their data is still in SoundCloud’s possession on systems shown to be vulnerable, meaning future breaches are not theoretical but probable absent corrective action. | high |
Accountability Failures: Silence as Corporate Policy
No notice, no protection, no accountability ยท 5 points
โพ
| 01 | SoundCloud has not notified affected users, has not disclosed the breach to regulatory authorities, and has not provided any credit monitoring or identity theft protection services, despite knowing about the incident and its obligations under law. | high |
| 02 | Plaintiff and class members “remain in the dark regarding what data was stolen, the particular malware used, and what steps are being taken to secure their PII in the future,” according to the complaint, forcing them to speculate about risks to their own personal information. | high |
| 03 | The class action seeks lifetime identity theft protection services, not just temporary credit monitoring, because the stolen data creates permanent and ongoing risk that far outlasts any short-term remedy the company might offer. | high |
| 04 | SoundCloud promulgated a privacy policy promising to protect user data but then failed to honor that commitment, breaching both the explicit expectations of users and the implied contract that governed the relationship. | high |
| 05 | The complaint requests punitive damages, reflecting the allegation that SoundCloud’s conduct was not merely negligent but willful and reckless, a standard of corporate wrongdoing that goes beyond simple oversight failure. | high |
Timeline of Events
Dec 2025
SoundCloud detects “unauthorized activity in an ancillary service dashboard,” according to its own disclosure. A hacker using the alias ShinyHunters exfiltrates data from approximately 29.8 million user accounts.
Jan 13, 2026
SoundCloud publishes a brief article titled “Protecting Our Users and Our Service,” acknowledging a “purported threat actor group accessed certain limited data” but providing no meaningful detail about scope or affected users.
Jan 23, 2026
DataBreach.com publicly reports on the SoundCloud incident. The breach begins attracting significant cybersecurity media attention despite SoundCloud’s silence toward its own users.
Jan 27, 2026
Have I Been Pwned and BleepingComputer confirm the SoundCloud breach affects 29.8 million accounts. The stolen data is indexed and made available for verification by affected users through third-party breach notification services.
Feb 2, 2026
CentralEyes and Cyberpress report on the confirmed breach. SoundCloud still has not issued direct notification to the 29.8 million affected users.
Feb 4, 2026
Plaintiff Alexander Merkel files a class action complaint in the Southern District of New York (Case 1:26-cv-00980) against SoundCloud Inc., seeking damages, injunctive relief, and lifetime identity theft protection for all affected users.
Direct Quotes from the Legal Record
QUOTE 1
Silence as strategy
Accountability Failures
“Defendant does not appear to have provided any response nor any notice regarding the Data Breach.”
๐ก Despite knowing about the breach in December 2025, SoundCloud chose not to notify the nearly 30 million users whose personal data was stolen, leaving them unable to protect themselves.
QUOTE 2
Deliberate disregard of user rights
Core Allegations
“Defendant disregarded the rights of Plaintiff and Class Members by intentionally, willfully, recklessly, and/or negligently failing to implement adequate and reasonable measures to ensure that Plaintiff’s and Class Members’ PII was safeguarded.”
๐ก This is the complaint’s sharpest language, alleging that SoundCloud’s failure was not accidental but a product of deliberate choices that prioritized cost over user safety.
QUOTE 3
Profit motive named explicitly
Profit Over People
“Defendant calculated to increase its own profit at the expense of Plaintiff and Class Members by utilizing cheap, ineffective security measures and diverting those funds to its own personal use.”
๐ก The complaint directly accuses SoundCloud of treating user security as a cost to be avoided, not a responsibility to be honored, prioritizing profit over the safety of 29.8 million people.
QUOTE 4
Lifetime harm, not a temporary inconvenience
Economic Fallout
“Plaintiff and Class Members are now at a significantly increased and certainly impending risk of fraud, identity theft, intrusion of their privacy, and similar forms of criminal mischief, risks which may last for the rest of their lives since it appears their information was specifically targeted.”
๐ก This is not a temporary inconvenience. The complaint frames the harm as a permanent condition, one that SoundCloud’s negligence has imposed on millions of people indefinitely.
QUOTE 5
Users kept in the dark
Accountability Failures
“Plaintiff and Class Members remain in the dark regarding what data was stolen, the particular malware used, and what steps are being taken to secure their PII in the future.”
๐ก Without knowing what was taken or how, affected users cannot protect themselves. SoundCloud’s silence is not neutral; it actively increases the harm to every person whose data was stolen.
QUOTE 6
The phishing threat is specific and documented
Privacy and Safety
“The sheer volume of scraped data creates a fertile ground for high-precision phishing campaigns that could weaponize this information against the platform’s user base.”
๐ก Security experts cited in the complaint make clear that the breach data is not just stored; it is actionable. Criminals can and will use it to target victims with personalized scams.
QUOTE 7
A second breach in less than two years
Core Allegations
“The Data Breach occurred as a direct result of SoundCloud’s failure to implement and follow basic security procedures to protect its current and former customers’ Private Information that it had collected and stored, even though they suffered a similar attack less than two years ago.”
๐ก This is not a company that was caught off guard. SoundCloud had already experienced a comparable breach and still failed to fix its systems, making this second incident even more inexcusable.
QUOTE 8
Stolen data persists as a weapon
Economic Fallout
“Once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.”
๐ก Cited from a U.S. Government Accountability Office study, this underscores why short-term credit monitoring is wholly inadequate and why the class action demands lifetime identity theft protection.
Commentary
What exactly was stolen in the SoundCloud breach?
โพ
Names, email addresses, geographic locations, usernames, profile metadata, and profile statistics were exfiltrated. While this may not include financial account numbers directly, it is precisely the type of data criminals use to launch targeted phishing attacks, test credentials across other platforms, and craft convincing impersonation schemes. The complaint is explicit: the data was specifically targeted, not incidentally caught in a broad sweep.
Why didn’t SoundCloud tell its users?
โพ
That is the central question the lawsuit asks. SoundCloud knew about the breach in December 2025. It published a vague internal article acknowledging “unauthorized activity” in January 2026 but issued no direct notification to the 29.8 million affected users and no disclosure to regulatory authorities. Companies sometimes avoid notification because it triggers legal obligations, attracts regulatory scrutiny, and damages their public reputation. But silence is not a neutral choice. Every day a user does not know their data was stolen is another day they cannot take protective action.
Is this lawsuit legitimate, and does it have merit?
โพ
The complaint presents a well-documented legal theory built on negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, unjust enrichment, and declaratory judgment. Each claim is supported by specific factual allegations drawn from SoundCloud’s own disclosure and third-party security reporting. The FTC Act violations alleged are a recognized legal basis for data breach liability. The case was filed by Lynch Carpenter LLP, a firm with significant class action experience, in the Southern District of New York. The merits will ultimately be determined by the court, but the legal foundation is substantive, not frivolous.
How did the hacker get in?
โพ
The complaint does not specify the exact attack vector, because SoundCloud has not disclosed it. What is alleged is that SoundCloud maintained user data on inadequately protected network servers and failed to implement basic security practices including proper encryption, access controls, and network monitoring. The FTC’s guidance on each of these practices is publicly available. SoundCloud, a company operating in 190 countries with tens of millions of users, had the resources and the legal obligation to implement them. The decision not to do so is what made the breach possible.
What does the lawsuit actually ask for?
โพ
The complaint requests class certification for all U.S. users whose data was compromised, actual and punitive damages, injunctive relief requiring SoundCloud to overhaul its security practices, at least ten years of credit monitoring services for all affected users, lifetime identity theft protection, and attorneys’ fees. It also requests a declaratory judgment establishing that SoundCloud currently maintains inadequate security and is legally obligated to fix it. These are not minor administrative corrections. They are demands for systemic change backed by the threat of substantial financial liability.
This is SoundCloud’s second breach in under two years. Why does that matter?
โพ
It matters enormously because it removes any claim of ignorance. A first breach is often characterized as an unforeseen event. A second breach, following the same general pattern, on the same inadequately protected infrastructure, is a structural failure representing a corporate decision not to fix known problems. The complaint uses this directly: SoundCloud had prior warning and still did not implement basic security procedures. That pattern of deliberate inaction is what transforms a data security failure into corporate misconduct.
Am I at risk even if I deleted my SoundCloud account?
โพ
Potentially yes. The complaint alleges SoundCloud stored former users’ PII longer than reasonably necessary and failed to delete it after the relationship ended. If your data was in SoundCloud’s systems at the time of the breach, regardless of whether your account was still active, it may have been exfiltrated. This is one of the specific breach of implied contract claims: SoundCloud agreed to delete user data once the relationship ended but allegedly failed to do so.
What can I do to protect myself and prevent this from happening again?
โพ
Check Have I Been Pwned (haveibeenpwned.com) to see if your email was included in the SoundCloud breach. Change your SoundCloud password and any password you reuse across other platforms immediately. Enable multi-factor authentication on every account that supports it. Place a credit freeze with all three major bureaus (Equifax, Experian, TransUnion) at no cost; this prevents new accounts from being opened in your name. Monitor your existing accounts for unusual activity. Beyond self-protection, contact your elected representatives and demand stronger data security legislation with mandatory notification timelines, minimum security standards, and real penalties for companies that fail to protect user data. Corporate accountability requires legal consequences, and those consequences only come with political pressure.
๐ก Explore Corporate Misconduct by Category
Corporations harm people every day โ from wage theft to pollution. Learn more by exploring key areas of injustice.
- ๐ Product Safety Violations โ When companies risk lives for profit.
- ๐ฟ Environmental Violations โ Pollution, ecological collapse, and unchecked greed.
- ๐ผ Labor Exploitation โ Wage theft, worker abuse, and unsafe conditions.
- ๐ก๏ธ Data Breaches & Privacy Abuses โ Misuse and mishandling of personal information.
- ๐ต Financial Fraud & Corruption โ Lies, scams, and executive impunity.
