18 comments

[ 2.8 ms ] story [ 37.1 ms ] thread
> the impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country
SoundCloud is the worst company, so hostile to former paying users! I am a hobbyist songwriter and have posted my rough mixes (Apple's Music Memo app which adds drum and bass automagically with two clicks & then mix it in Garage Band) on my SoundCloud for more then ten years. I signed up for their Artist Pro account and was a member for of such consistently for a few years at $17 a month. Once you cancel they then hold all your music hostage by hiding it and later threat to delete it. Horrid!
"The data involved consisted only of email addresses and information already visible on public SoundCloud profiles".

So they've scraped public data. Why care?

A lot of "rap gods" are about to be exposed as "Kevin" from suburbia.
all this leaked data pretty much used for one objective now: stealing crypto
Kinda sad to see a "Recommended Actions", with only sponsors, with ad copy that would be understood by HN readers but not our non-technical friends. (i.e. a simple "Nothing. No passwords have been leaked yet, only metadata" in this case)
By aggregating breach data by email, this tool inadvertently exposes users's full web history, including sensitive sites like crypto/adult/dating platforms, to anyone who knows their address

Fun

So I guess I should watch out for scams being sent to "soundcloud@" on a personal domain. Oh no, how will I distinguish them from my legitimate banking email???
I went through and deleted a bunch of accounts a while ago, SoundCloud being one of them. It looks like I don't show up in the breach. It's nice to know SoundCloud actually deleted my data, I'm never totally sure what happens on the backend.
I still have two active accounts and neither of those were in the breach of the 20% of accounts.
Glad that I removed my SoundCloud account right on time.

I think it’s only a matter of time before a service gets breached.

It's best to use unique random username, email, and password for every online account. Also, providing only the bare minimum of data and faking as much as possible is helpful in cases of data breaches.

An email–only breach seems to cheapen the value of HIBP. It's not telling me if my password was leaked.
making mountains out of mole hills. this type of panic is really common in the infosec world.
How so? I tend to disagree with the general statement that this is common in the infosec world, but I'd like to understand better what you mean by that.
Oh nice. Maybe I can finally recover (and finally shut down) my old account I accidentally locked myself out of.
People should be using email alias. 1 unique alias per 1 uniques service and websites for proper segregation. If any of the unique alias leaked or getting spammed you'd know where the source is and blocking that specific alias would limit the breach. Theres simplelogin.io, addy.io, firefox relay, apple hide-my-email, custom domain catchall etc for that.