The Non-Financial Ledger

Imagine waking up and discovering that somewhere on the internet, in a dark-web marketplace you will never be able to visit, a stranger is selling your name, your email, your city, and your SoundCloud username for somewhere between forty and two hundred dollars. You did not consent to that sale. You did not cause it. And the company that handed over your information to the criminal who is now selling it has not sent you a single email, a single text, or a single notification to tell you it happened.

That is not a hypothetical. For 29.8 million people, that is the situation right now.

SoundCloud built a product that millions of people trusted with their real identities. Independent artists put their names on that platform. Fans connected their email addresses to accounts that reflected their taste, their culture, their communities. When you sign up for a streaming service, you are not thinking about server architecture or encryption standards. You are thinking about music. You assume the company thought about the security part so you do not have to.

SoundCloud did not think about it enough. The lawsuit alleges the company knew the risks, had already suffered a similar breach less than two years earlier, and still failed to implement security measures that met basic industry standards. Instead, according to the complaint, SoundCloud chose cheaper, weaker security and kept the difference. The people who paid the price for that calculation are the 29.8 million users who had no seat at that table.

The breach happened in December 2025. Cybersecurity researchers and journalists found out about it weeks later when the hacker announced it publicly. SoundCloud’s own users are still waiting for an explanation. The company has not disclosed the scope of what was taken, the specific vulnerability that was exploited, what steps it is taking to prevent the next attack, or what affected users should do right now to protect themselves. Victims are, in the words of the lawsuit, “left to speculate as to where their PII ended up, who has used it, and for what potentially nefarious purposes.”

That silence is its own kind of harm. It strips people of the ability to make informed decisions about their own safety. It forces people to spend time, energy, and money monitoring their financial accounts, placing fraud alerts on their credit files, and researching protective measures, all because a company chose not to invest sufficiently in keeping their data safe. The FTC estimates the average identity theft victim spends 200 hours over approximately six months just recovering from the theft. That is five weeks of full-time work handed to you as an unpaid job because someone else cut corners.

Twenty-eight percent of people whose data is exposed in a breach become victims of identity fraud. Without a breach, that number is about three percent. SoundCloud took millions of people from a three-percent risk category and dropped them into a twenty-eight-percent risk category without asking, without warning, and without offering any compensation or protection in return.

The stolen data is particularly dangerous because it is designed for precision. When a criminal has your email, your username, your location, and your profile data from a platform you actually use, they can write a phishing email that sounds like it comes from SoundCloud. They can reference your profile. They can address you by name. They can mention your city. Millions of people who have never thought about spear phishing are now targets for exactly that kind of attack, and they do not know it.

The harm is not confined to this moment. Stolen data can sit in criminal databases for a year or more before being deployed. It can be resold. It can be combined with data from other breaches to build richer profiles of specific individuals. The US Government Accountability Office has confirmed that fraudulent use of stolen information can persist for years after the original theft. The people affected by this breach are not facing a bad week. They are facing a permanent elevation in their personal risk, for the rest of their lives, with no help from the company that caused it.

Legal Receipts: What the Lawsuit Actually Says

The following quotes are taken verbatim from the class action complaint filed February 4, 2026 in the Southern District of New York. These are the words lawyers put in front of a federal judge. Read them carefully.

“Defendant enriched itself by hoarding the costs it reasonably should have expended on data security measures to secure Plaintiff’s and Class Members’ Private Information. Instead of providing a reasonable level of security that would have prevented the Data Breach, Defendant calculated to increase its own profit at the expense of Plaintiff and Class Members by utilizing cheap, ineffective security measures and diverting those funds to its own personal use.”

— Complaint, ¶ 146, Merkel v. SoundCloud Inc., 1:26-cv-00980

“SoundCloud has not issued, and does not appear to have issued, any notification, or disclosure to affected individuals or regulatory authorities regarding the data breach, including any explanation of the scope, nature, or potential consequences of the compromise.”

— Complaint, ¶ 42, Merkel v. SoundCloud Inc., 1:26-cv-00980

“The Data Breach occurred as a direct result of SoundCloud’s failure to implement and follow basic security procedures to protect its current and former customers’ Private Information that it had collected and stored, even though they suffered a similar attack less than two years ago.”

— Complaint, ¶ 45, Merkel v. SoundCloud Inc., 1:26-cv-00980

“Plaintiff and Class Members are now at a significantly increased and certainly impending risk of fraud, identity theft, intrusion of their privacy, and similar forms of criminal mischief, risks which may last for the rest of their lives since it appears their information was specifically targeted.”

— Complaint, ¶ 11, Merkel v. SoundCloud Inc., 1:26-cv-00980

“The monies Defendant was paid in its ordinary course of business included a premium for Defendant’s cybersecurity obligations and were supposed to be used by Defendant, in part, to pay for the administrative and other costs of providing reasonable data security.”

“Plaintiff and Class Members will need to maintain these heightened measures for years, and possibly their entire lives as a result of Defendant’s conduct. Further, the value of Plaintiff’s and Class Members’ Private Information has been diminished by its exposure in the Data Breach.”

— Complaint, ¶ 60, Merkel v. SoundCloud Inc., 1:26-cv-00980

Societal Impact Mapping

Public Health: The Psychological Toll of Stolen Identity

Data breaches are a documented public health problem. The psychological and physical consequences of identity theft and sustained privacy violation are real, measurable, and severe.

• The complaint directly cites emotional distress as a category of harm, alongside more quantifiable damages. Anxiety, loss of sleep, and feelings of violation are predictable outcomes for people who discover strangers have been trading their personal information.
• Victims of identity theft spend an FTC-estimated average of 200 hours over approximately six months trying to recover, a burden that disrupts employment, family life, and mental health for months at a time.
• The data type stolen in this breach, combined email addresses, real names, geographic locations, and usernames, is the exact dataset used in spear phishing attacks. Victims who fall for those attacks face cascading fraud across multiple platforms and financial institutions, multiplying the psychological damage.
• The 28% fraud conversion rate means statistically, roughly 8.3 million of the 29.8 million affected users will become identity fraud victims. Each of those cases involves sustained stress, financial disruption, and the grinding labor of reclaiming one’s identity from a bureaucratic system not designed to make it easy.
• SoundCloud has offered no mental health resources, no victim support services, and no identity theft protection. The people carrying the weight of this breach are carrying it alone.

“Once Private Information is exposed, there is virtually no way to ensure that the exposed information has been fully recovered or obtained against future misuse.”

Economic Inequality: Who Gets Hurt the Most

Data breaches do not land equally. The financial and time costs of protecting yourself after a breach fall hardest on people with the least resources to absorb them.

• Identity theft monitoring services, credit freezes, fraud alerts, and legal assistance all cost money. For the millions of SoundCloud users who are working-class or living paycheck to paycheck, these protective measures represent a genuine financial strain imposed by a company that charged them for data security and did not deliver it.
• The complaint documents that stolen personal data is traded on dark-web markets at prices between $40 and $200 per identity. SoundCloud’s users’ information is now an asset in a criminal economy, generating revenue for hackers at the direct expense of the people it was stolen from.
• SoundCloud’s user base is global, covering 190 countries and territories. People in countries with weaker consumer protection frameworks, less robust credit monitoring infrastructure, or fewer legal remedies have even less ability to protect themselves after a breach like this.
• The FTC documents that identity theft complaints nearly doubled over a four-year span, from 2.9 million reports in 2017 to 5.7 million in 2021. This is not an abstract statistic. It means data breaches are converting millions of ordinary people into fraud victims every year, and the companies responsible continue to face insufficient consequences to change their behavior.
• The 200-hour recovery burden is also an economic inequality issue. A person in a salaried professional job can absorb 200 hours of administrative effort with relative stability. A person working hourly jobs, managing childcare, or dealing with housing insecurity cannot. The people least equipped to recover are the people who pay the steepest price.
• The complaint alleges that Plaintiff and Class Members “overpaid for the services they received without adequate data security,” meaning the company charged a market price for a service with an implied security guarantee, delivered neither, and retained the profit. That is a wealth transfer from users to executives.

The “Cost of a Life” Metric

What Now? How to Fight Back

This case is in federal court. The people who caused this harm have names, and the agencies that are supposed to stop them have complaint lines. Use both.

People Named in This Case

• Plaintiff’s Counsel: Gary F. Lynch, Lynch Carpenter LLP, 1133 Penn Ave, 5th Floor, Pittsburgh PA 15222. This is the firm fighting on behalf of the 29.8 million affected users.
• Defendant: SoundCloud Inc., 2 Gansevoort Street, 6th Floor, New York, NY 10014. This is the company that held your data and lost it.
• SoundCloud executive leadership and board members are [REDACTED – Not in Source]. Check SoundCloud’s public filings and LinkedIn for current corporate officers if you wish to contact them directly.

Watchlist: Regulatory Bodies That Can Act

• Federal Trade Commission (FTC): The complaint explicitly cites FTC Act Section 5 violations. File a consumer complaint at reportfraud.ftc.gov. The FTC has enforcement authority over unfair data security practices and has taken companies to court for exactly this conduct.
• Federal Bureau of Investigation Internet Crime Complaint Center (IC3): Report data theft and related fraud at ic3.gov. The FBI tracks cybercrime at scale; your complaint contributes to investigations of groups like ShinyHunters.
• State Attorneys General: Every US state has data breach notification laws. If you are in a state where SoundCloud operates (which is all of them), your state AG may have independent enforcement authority. Find your AG at naag.org.
• Congress: The US has no federal data breach notification law. Your representatives can hear from you about that. Contact them through house.gov and senate.gov.

Protect Yourself Right Now

• Freeze your credit immediately at all three bureaus: Equifax, Experian, and TransUnion. A credit freeze is free and prevents new accounts from being opened in your name. Do it before you need it.
• Change your SoundCloud password today and any other account that uses the same email and password combination. The complaint specifically warns that attackers test exposed credentials across multiple platforms.
• Enable two-factor authentication on every account that offers it, starting with your email provider. Your email is the master key to every other account you own.
• Check Have I Been Pwned (haveibeenpwned.com). This is the service that first confirmed the SoundCloud breach. Enter your email to see every known breach you are part of.
• Connect with the class action. If you are a SoundCloud user whose data was compromised, you may be a class member. Monitor ClassAction.org and Lynch Carpenter LLP’s announcements for how to participate.
• Support mutual aid and digital security education in your community. Organizations like the Electronic Frontier Foundation (EFF) provide free resources on digital privacy. Groups like the Surveillance Technology Oversight Project (STOP) organize politically to change the structural conditions that let companies like SoundCloud profit from your data without consequence.
• Talk to people around you. Twenty-nine-point-eight million accounts means someone you know was affected. Share this information. The corporate model that treats user data as a disposable resource only changes when enough people understand what is being done to them and decide it is unacceptable.