Comment by embedding-shape
8 hours ago
Importantly, 20% of the total userbase it seems:
> In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country.
That's from the haveibeenpwned email which I received because of course I'm part of that 20%.
Remember to have unique passwords for each website kids, ideally with a password manager.
Whilst thats important advice, as far as I can tell it wouldnt help here as no passwords are breached. I had a few of our domain users on this report and as far as I can tell theres nothing actionable.
Also, never give out a direct email address, always an alias.
and include a nonce. user+SoundCloud@gmail.com is obviously guessable. user+SoundCloudheuerue64@gmail.com ain't getting guessed.
Gmail plus addressing is like the most widely known thing ever and also like the first thing checked by every scammer and hacker. It's so useless I've been using it for practically ever and spam related to brand new data breaches still has it stripped out. There have only ever been like two occasions where a spam email in my inbox didn't strip out the plus address.
Use something like Firefox Relay where it's impossible to strip out anything.