Under 2% of GDPR complaints even result in fines. And that would require there to be grounds for a complaint - there's no way for an external user to tell whether the delete is actually done, and the DPA won't force them to submit to a third-party source code audit.
The GDPR has zero teeth. But don't take it from me, these guys have a bit more expertise than I do on this subject: https://noyb.eu/en/data-protection-day-5-misconceptions-abou...
For a company that’s been hacked as many times as Sony, I find this to be pretty pathetic.
Different company, same story.
If Gmail goes down in 20 years, it will be a major occurrence. If mailgoforward.fart goes down, you’re screwed.
The advice is, as always, use a second mail address for “sensitive” providers. Use a password manager and two factor for everything. Ideally one that integrates into your phone and browser.
For traceability, most providers support a + alias syntax now. Ie [email protected]
Using randomized relay addresses instead gives you an immensely higher confidence that when a given contact address starts getting spam, it is misuse stemming from a specific entity. Especially if you rotate it at a fixed time interval, cause then you can even establish a starting timeframe.
Still not perfect but it can never really be, and not even out of email's fault. As long as DNS and IP addressing rule the world, there's only so much one can do. Once identity is private-default, it becomes a secret handling problem at its core, a capability these schemes were never designed to provide.
The technical equivalent of “if you default on a $100,000 loan you have a problem. If you default on a billion dollar loan the _bank_ has a problem.
So they've scraped public data. Why care?
Aren't on public SoundCloud profiles.
> no sensitive data was taken in the incident.The data involved consisted only of email addresses and information already visible on public SoundCloud profiles (not financial or password data)
[0]: https://soundcloud.com/playbook-articles/protecting-our-user...
I read the statement to be "emails plus public information"
I don't use SoundCloud, but if profiles didn't have contact information like Email Address on them then it could be meaningful to now connect those two dots.
Like, 'Hey look, Person A, who is known to use email address X, kept Lost Prophets as one of their liked artists even after 2013!'
SoundCloud is a weird place, people in entertainment have certain strong incentives. They figured out who I am, figured out all the email addresses I have, jacked the account attached to my SoundCloud, stole my account. I still to this day, don't know how they pwned my email (tfa was on but it didn't trigger suspicious activity it let them login without triggering it, no clue how they got the password either and the password is secure enough that it's too hard to brute force, and it's not in a pwned db). Based on what was in my soundcloud inbox when I got access again, someone paid a fair amount to have this done... and now I have to go change my email again I suppose.
The data in the leak (other than follower count, etc) was already available for purchase from Zoominfo, 8sense, or a variety of other data brokers or other legal marketplaces for PII.
I suppose the risk now is that the data is freely available and no longer behind a data broker’s paywall?
Now it is.
Now I can blackmail you or haunt you.
(I'm sure there's other examples, tl;dr people are deanonymized, there are uncountable reasons why people choose anonymity)
> The data in the leak (other than follower count, etc) was already available for purchase from Zoominfo, 8sense, or a variety of other data brokers or other legal marketplaces for PII.
?
> In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country.
That's from the haveibeenpwned email which I received because of course I'm part of that 20%.
Remember to have unique passwords for each website kids, ideally with a password manager.
Use something like Firefox Relay where it's impossible to strip out anything.
SoundCloud is European, so most of the dark patterns used by American companies to offer "free" service are not available to them, and they are required by law to actually delete data instead of pretending to delete it.
Do they take the leftovers from your fridge when you stop buying?
So if you had over three hours uploaded, it seems reasonable for them to restrict the service. If you had <= three, then it would a problem.
Recently I decided to evaluate it for serious use and start posting there again, only until their new uploader told me I need to switch to a paid plan, even though I triple-checked I was well within free limits and under my old now unused username I uploaded a lot more (mostly of experimental things I am not that proud of anymore).
It looks like their microservices architecture is in chaos and some system overrides the limits outlined in the docs with stricter ones. How can I be sure they respect the new limits once I do pay, instead of upselling me the next plan in line?
Adding to that things like the general jankiness or the never-ending spam from “get more fake listeners for $$$” accounts (which seem to be in an obvious symbiosis with the platform, boosting the numbers for optics), the last year’s ambiguous change in ToS allowing them to train ML systems on your work, it was enough for me to drop it. Thankfully, it was a trial run and I did not publish any pending releases.
If you still publish on SoundCloud, and you do original music (as opposed to publishing, say, DJ sets, where dealing with IP is problematic), ask yourself whether it is timr to grow up and do proper publishing!
Another possibility is maybe they reduced their limits from 3 to 2 hours of audio around the same time. I don’t know if it happened before or after my experience, did not read their blogs or press releases, only made sure I was well under whatever limits were currently listed on their pricing & plans page (I was probably under 2 hours as well, but as this point can’t be bothered to check). Perhaps that transition was chaotic and for some time their left hand did not know what the right hand is doing.
Yes, I'm intentionally victim blaming here. The victim is complaining about a 3rd party site deleting files. Who cares? Why would you have as your only source of your files the copies stored by the 3rd party?
Data loss happens too. Soundcloud may be your only source of your own tracks.
> and have posted my rough mixes [...] on my SoundCloud for more then ten years
...easily implies >3h of uploads, which is over the free plan limit. If you're over that limit and stop paying, yes, it makes perfect sense that they'd threaten with deletion of some of your existing uploads.
If it is an actual necessity—a service chose to market an unlimited plan to attract more users, and then realized they are losing money on storage and traffic so much that they would unapologetically burn bridges with existing users who showed themselves as willing to pay (who maybe needed to downgrade temporarily for whatever reason) with the above move—and yet their strategy is apparently to keep offering that plan (in hopes to turn things around with more light users joining?), I would question whether that service has serious issues with even medium term planning.
They are a European company, so you are the customer, not the product and recipient of subsidies. They use less manipulation and dark patterns than an equivalent American company.
You pay, you get service. You don't pay, you don't get service. If they can't bill you, they should try to communicate with you for a few months before treating it as a cancellation. If you cancel, then your choice is clear and you should expect your service to be immediately terminated at the end of the current billing period. If their service is storing files for you, termination of the service means deletion of the files.
There is no need for a grace period when you knowingly and voluntarily make the decision to terminate a file storage service.
They also do advertisement (promoted tracks and audio ads) but this is irrelevant to my point, what I described applies regardless, including the fact that heavy users of the unlimited plan and free users definitely receive subsidies, both from light users and from ad revenue of the platform.
> You pay, you get service. You don't pay, you don't get service
The definition of the service you receive and how good it is includes what happens when you decide to off-ramp from receiving it. Changing your service plan is your indication that you want to change service, what happens after that is how they handle it. There is no stipulation whatsoever that things stop being available to you immediately.
In fact, in case of SoundCloud, they themselves prove this, because they did not delete data but instead continued to keep data for free, which means providing you a service that you presumably stopped paying for. The silly move of them was to do that and not allow you to download it, and then emailing the victim urging them to pay to access this data, which makes it 100% a dark pattern and means they are effectively blackmailing customers with proven ability and willingness to pay.
If I remember right, Apple (an American company) handles it better and gives you a month to download excess data if you downgrade, but sure, “dark patterns”.
> There is no need for a grace period when you knowingly and voluntarily make the decision to terminate a file storage service.
If you terminate your use of a file storage service, you would expect your personal data to be deleted. However, no one terminated their use of a service, somebody apparently downgraded their payment plan (temporarily or not).
Their best feature is social feed - I only see reposts from people I follow. But for branching out / discovery might be cool to see what their feed looks like, so something like "show followees feed".
Those were the golden sound cloud years.
I use a unique string per company but it's not guessable in advance, but it's obvious when looking at it and squinting a bit, for example (and these are not the exact ones I use): sundclod@<domain> or ebuy@<domain> or amzoon@<domain>
Sure I have to remember them but it's easy for me to check and my password manager is filling them in for me 99.99% of the time.
I can filter on those emails instead, and I also know that anything coming to soundcloud@<domain> or ebay@<domain> or amazon@<domain> is definitely spam as I've never used those addresses myself.
If sundclod@<domain> appears in a leak I can (hopefully) change my account email at Soundcloud to sondclud@<domain> and then confine sundclod@<domain> to /dev/null
As for Soundcloud, the password I had saved for it and a tiny bit of profile information tells me a lot - a manually created password saved into a password manager, probably in 2010 or 2011 and unused after grabbing a single track.
Addresses for services I actually care about also get what's basically peppering, and have all had updates much more recently than the days of Blackberry devices.
I can't imagine anyone spamming in such low quantities that they'll notice a pattern like company@<domain> and act on it.
I have regularly gotten spam emails without a to, cc, or bcc field though. So I can't tell which email they were sent to. (my host doesn't bounce/drop them for some reason)
I do regularly do misspellings of the company name though, since that often trips the "invalid email" check on signup. e.g. twitter.
> I'd like to understand better what you mean by that.
Recall there was a period where every CPU sidechannel attack had a dedicated (wow) website and a rock band name assigned to it (when in reality their impact again, was/is limited).
I think it’s only a matter of time before a service gets breached.
It's best to use unique random username, email, and password for every online account. Also, providing only the bare minimum of data and faking as much as possible is helpful in cases of data breaches.
Fun
What is a "sensitive breach"?
HIBP enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone's presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as "sensitive" and may not be publicly searched.
A sensitive data breach can only be searched by the verified owner of the email address being searched for. This is done by signing in to the dashboard which involves verifying you can receive an email to the entered address. Once signed in, all breaches (including sensitive ones) are visible in the "Breaches" section under "Personal".
There are presently 82 sensitive breaches in the system including Adult FriendFinder (2015), Adult FriendFinder (2016), Adult-FanFiction.Org, Ashley Madison, Beautiful People, Bestialitysextaboo, Brazzers, BudTrader, Carding Mafia (December 2021), Carding Mafia (March 2021), Catwatchful, CityJerks, Cocospy, Color Dating, CrimeAgency vBulletin Hacks, CTARS, CyberServe, Date Hot Brunettes, DC Health Link, Doxbin and 62 more.
I laughed pretty hard