Comment by Alifatisk
> the impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country
> the impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country
Also, never give out a direct email address, always an alias.
Gmail plus addressing is like the most widely known thing ever and also like the first thing checked by every scammer and hacker. It's so useless I've been using it for practically ever and spam related to brand new data breaches still has it stripped out. There have only ever been like two occasions where a spam email in my inbox didn't strip out the plus address.
Use something like Firefox Relay where it's impossible to strip out anything.
I mean aliases provided by some service providers. Never been of fan of the + style pretend aliasing. Takes very little sophistication to extract the real email. A real forwarding alias does not expose the true email.
If I’m understanding correctly, it sounds like, aside from the email addresses, all the data leaked was already publicly available on users’ SoundCloud profiles. The only novel aspect is linking that public data to the accounts’ email addresses.
Importantly, 20% of the total userbase it seems:
> In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country.
That's from the haveibeenpwned email which I received because of course I'm part of that 20%.
Remember to have unique passwords for each website kids, ideally with a password manager.