SoundCloud Data Breach Now on HaveIBeenPwned

Original Article ↗ Hacker News Discussion ↗

Nature and impact of the SoundCloud breach

  • Breach affected 30M email addresses (20% of users), plus names, usernames, avatars, follower stats, and sometimes country.
  • Most non-email data was already public on profiles; debate centers on whether adding email linkage materially increases risk.
  • One side: “It’s just public data + email; impact is minimal (spam, scams).”
  • Other side: linking email to pseudonymous accounts can deanonymize users, expose taboo interests, or enable targeted harassment/blackmail, especially for artists using SoundCloud as an alter-ego.
  • Concern that the industry of scammy “music promotion” services will heavily exploit this new, targeted email list.
  • Some note organized crime previously targeted valuable usernames on platforms like SoundCloud, so extra correlation data may have non-trivial value.

SoundCloud’s handling and product criticism

  • Strong dissatisfaction with how SoundCloud treats former paying users: hiding tracks after downgrades and later threatening deletion is viewed by some as hostage-taking.
  • Counterargument: it’s a storage service; if you stop paying for more-than-free-tier usage, deletion or restriction is expected and economically reasonable.
  • Nuance: critics argue there should be a clear grace period and easy export, especially when storage is sold as “unlimited” and the data is artist-created work and proof of publication date.
  • Several reports of technical jank: inconsistent upload limits, confusing upsells, likely quota bugs in a distributed/microservices backend.

Freemium model and user-hostility debate

  • One camp: immediate or eventual deletion after non-payment is normal; no entitlement to continued storage.
  • Another: SoundCloud demonstrably keeps the data, but blocks access and pressures users to pay, which is framed as a dark pattern and “blackmail” of previously willing customers.

Email hygiene and mitigations

  • Recommendations: unique passwords per site (with a manager), and unique emails or aliases per service.
  • Disagreement over Gmail “+addressing”: some say it’s useless because spammers strip the suffix; others prefer truly random relay addresses or custom domains for canary-trap style tracing.
  • Note that some sites block known alias providers; self-hosted domains are suggested for longevity.

HaveIBeenPwned and breach communication

  • Some feel email-only breaches dilute HIBP’s value since no passwords are exposed, and the “Recommended Actions” page looks like ad-driven upsell.
  • Clarification that HIBP hides “sensitive” breaches (adult, dating, criminal forums, etc.) behind verified login to avoid outing users.
  • Criticism of SoundCloud’s public response as downplaying the incident by calling everything except passwords/financial data “non-sensitive” and ambiguously implying emails are “public.”

Broader security and reaction

  • A few commenters see the reaction as typical infosec “mountains out of molehills” given limited direct impact (“wow, they got my email”).
  • Others argue that privacy erosion via repeated deanonymizing leaks is cumulative, and dismissing each one as minor misses the larger risk landscape.