> the impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country
SoundCloud is the worst company, so hostile to former paying users! I am a hobbyist songwriter and have posted my rough mixes (Apple's Music Memo app which adds drum and bass automagically with two clicks & then mix it in Garage Band) on my SoundCloud for more then ten years. I signed up for their Artist Pro account and was a member for of such consistently for a few years at $17 a month. Once you cancel they then hold all your music hostage by hiding it and later threat to delete it. Horrid!
Kinda sad to see a "Recommended Actions", with only sponsors, with ad copy that would be understood by HN readers but not our non-technical friends. (i.e. a simple "Nothing. No passwords have been leaked yet, only metadata" in this case)
By aggregating breach data by email, this tool inadvertently exposes users's full web history, including sensitive sites like crypto/adult/dating platforms, to anyone who knows their address
So I guess I should watch out for scams being sent to "soundcloud@" on a personal domain. Oh no, how will I distinguish them from my legitimate banking email???
I went through and deleted a bunch of accounts a while ago, SoundCloud being one of them. It looks like I don't show up in the breach. It's nice to know SoundCloud actually deleted my data, I'm never totally sure what happens on the backend.
Glad that I removed my SoundCloud account right on time.
I think it’s only a matter of time before a service gets breached.
It's best to use unique random username, email, and password for every online account.
Also, providing only the bare minimum of data and faking as much as possible is helpful in cases of data breaches.
How so? I tend to disagree with the general statement that this is common in the infosec world, but I'd like to understand better what you mean by that.
People should be using email alias. 1 unique alias per 1 uniques service and websites for proper segregation. If any of the unique alias leaked or getting spammed you'd know where the source is and blocking that specific alias would limit the breach. Theres simplelogin.io, addy.io, firefox relay, apple hide-my-email, custom domain catchall etc for that.
18 comments
[ 2.8 ms ] story [ 37.1 ms ] threadSo they've scraped public data. Why care?
Aren't on public SoundCloud profiles.
Fun
I think it’s only a matter of time before a service gets breached.
It's best to use unique random username, email, and password for every online account. Also, providing only the bare minimum of data and faking as much as possible is helpful in cases of data breaches.