alt.hn

1/27/2026 at 5:11:39 PM

SoundCloud Data Breach Now on HaveIBeenPwned

 https://haveibeenpwned.com/Breach/SoundCloud

by gnabgib

1/27/2026 at 9:46:19 PM

I went through and deleted a bunch of accounts a while ago, SoundCloud being one of them. It looks like I don't show up in the breach. It's nice to know SoundCloud actually deleted my data, I'm never totally sure what happens on the backend.

by al_borland

1/28/2026 at 2:13:39 AM

They still seem to use past email addresses for marketing communications, despite the email address on file having been changed months ago. They definitely still keep old data around and fail to sync data between vendors. Whether that's indicative of their data deletion policies remains to be seen, but to me the lack of care for using past data for active accounts doesn't paint them in a very good light.

by parable

1/27/2026 at 11:58:31 PM

Only 20% of accounts were breached, so that's an optimistic conclusion.

by gnabgib

1/28/2026 at 6:06:10 AM

I still have two active accounts and neither of those were in the breach of the 20% of accounts.

by eXpl0it3r

1/28/2026 at 12:02:03 AM

For some services, like Anthropic/Claude's stubborn refusal to let you remove your payment method, deleting isn't even an option.

by Razengan

1/28/2026 at 2:11:41 AM

I ran into this with Sony. The website said to call, so I did. After 45 minutes on hold the guy just hung up on me saying he couldn’t help, without even really listening to me.

For a company that’s been hacked as many times as Sony, I find this to be pretty pathetic.

by al_borland

1/28/2026 at 4:33:26 AM

I'm not surprised.

Different company, same story.

by g947o

1/27/2026 at 10:55:09 PM

In theory, it's a legal requirement based on GDPR and CCPA as well as many other new digital rights laws across Europe and many states in the USA. SoundCloud is probably big enough to do that correctly otherwise e.g. the GDPR penalty is a highish percentage of the company's total revenue which gives the laws a good amount of "teeth".

by gleenn

1/28/2026 at 7:41:07 PM

> the GDPR penalty is a highish percentage of the company's total revenue which gives the laws a good amount of "teeth"

Under 2% of GDPR complaints even result in fines. And that would require there to be grounds for a complaint - there's no way for an external user to tell whether the delete is actually done, and the DPA won't force them to submit to a third-party source code audit.

The GDPR has zero teeth. But don't take it from me, these guys have a bit more expertise than I do on this subject: https://noyb.eu/en/data-protection-day-5-misconceptions-abou...

by Nextgrid

1/28/2026 at 6:04:24 AM

People should be using email alias. 1 unique alias per 1 uniques service and websites for proper segregation. If any of the unique alias leaked or getting spammed you'd know where the source is and blocking that specific alias would limit the breach. Theres simplelogin.io, addy.io, firefox relay, apple hide-my-email, custom domain catchall etc for that.

by thinker1972

1/28/2026 at 7:12:04 AM

IMO use email providers that have that built in. Because if your alias provider goes down, you’re fucked. And considering it’s a much less stable business than an email provider, it’s more likely.

If Gmail goes down in 20 years, it will be a major occurrence. If mailgoforward.fart goes down, you’re screwed.

The advice is, as always, use a second mail address for “sensitive” providers. Use a password manager and two factor for everything. Ideally one that integrates into your phone and browser.

For traceability, most providers support a + alias syntax now. Ie foobar+baxservice@provider.com

by karlgkk

1/28/2026 at 7:47:19 AM

I don't get why + addresses always come up in this. They're machine-undoable by design.

Using randomized relay addresses instead gives you an immensely higher confidence that when a given contact address starts getting spam, it is misuse stemming from a specific entity. Especially if you rotate it at a fixed time interval, cause then you can even establish a starting timeframe.

Still not perfect but it can never really be, and not even out of email's fault. As long as DNS and IP addressing rule the world, there's only so much one can do. Once identity is private-default, it becomes a secret handling problem at its core, a capability these schemes were never designed to provide.

by perching_aix

1/28/2026 at 8:18:27 AM

I'd say for longevity and portability use own custom domain. Simplelogin, addy support using own custom domain. Its just $10-15 something per year. Most tld allowed max cumulative renewal up to 10 years so $100-150. Setup a yearly calendar reminder on January to renew +1 year so at any give time the domain will have minimum 9-10 years before expiring. If got hit by a bus tomorrow then 9 years should be long enough time for whatever accounts linked to the domain to rot and be useless for the next domain owner.

by thinker1972

1/28/2026 at 2:23:42 PM

> If Gmail goes down in 20 years, it will be a major occurrence. If mailgoforward.fart goes down, you’re screwed.

The technical equivalent of “if you default on a $100,000 loan you have a problem. If you default on a billion dollar loan the _bank_ has a problem.

by charliebwrites

1/28/2026 at 12:23:29 PM

Many websites block such providers because of spam.

by varispeed

1/27/2026 at 7:13:18 PM

"The data involved consisted only of email addresses and information already visible on public SoundCloud profiles".

So they've scraped public data. Why care?

by djee

1/28/2026 at 9:23:45 AM

> email addresses

Aren't on public SoundCloud profiles.

by richrichardsson

1/27/2026 at 8:20:23 PM

Hackers stole information of 29.8M accounts (~20% of users). SoundCloud is downplaying the data beyond email address as "publicly available", but the data wasn't scraped. "Profile statistics" aren't public either. Their main response[0], seems to focus on passwords and payment details being the only risky data. They even imply email addresses are public.

> no sensitive data was taken in the incident.The data involved consisted only of email addresses and information already visible on public SoundCloud profiles (not financial or password data)

[0]: https://soundcloud.com/playbook-articles/protecting-our-user...

by gnabgib

1/28/2026 at 12:58:26 AM

If the email addresses were visible on public profile pages in what sense are they not public?

by idiotsecant

1/28/2026 at 1:06:42 AM

Email addresses are not visible on public soundcloud profiles. You can test this yourself.

I read the statement to be "emails plus public information"

by hamdingers

1/27/2026 at 7:18:49 PM

Maybe the two public data points weren't connected before?

I don't use SoundCloud, but if profiles didn't have contact information like Email Address on them then it could be meaningful to now connect those two dots.

Like, 'Hey look, Person A, who is known to use email address X, kept Lost Prophets as one of their liked artists even after 2013!'

by forgotaccount3

1/27/2026 at 8:17:10 PM

Yeah or this: https://news.ycombinator.com/item?id=26386418

SoundCloud is a weird place, people in entertainment have certain strong incentives. They figured out who I am, figured out all the email addresses I have, jacked the account attached to my SoundCloud, stole my account. I still to this day, don't know how they pwned my email (tfa was on but it didn't trigger suspicious activity it let them login without triggering it, no clue how they got the password either and the password is secure enough that it's too hard to brute force, and it's not in a pwned db). Based on what was in my soundcloud inbox when I got access again, someone paid a fair amount to have this done... and now I have to go change my email again I suppose.

by neom

1/27/2026 at 10:34:57 PM

Organized crime stealing usernames was apparently a thing for a few years back there, interesting it wasn't limited to Twitter.

by direwolf20

1/27/2026 at 8:08:18 PM

You are 100% correct based on article. Not good that you're gray, and your parent of "who cares it was already available and scraped" is the top comment.

by refulgentis

1/27/2026 at 8:10:47 PM

But, why care? (Yes, we can “care” that there was a leak - but… why worry? what new risk exists today that didn’t yesterday?)

The data in the leak (other than follower count, etc) was already available for purchase from Zoominfo, 8sense, or a variety of other data brokers or other legal marketplaces for PII.

I suppose the risk now is that the data is freely available and no longer behind a data broker’s paywall?

by cj

1/27/2026 at 8:57:30 PM

I'm confused, where were scrapers/data brokers/Zoominfo etc. were getting email addresses for SoundCloud accounts?

by refulgentis

1/27/2026 at 9:07:29 PM

They don’t. I’m confused why that info is valuable.

by cj

1/27/2026 at 10:51:28 PM

People pitching scammy “I can make you famous” services to aspiring musicians. Happens all the time, there’s a whole industry dedicated to it.

by saaaaaam

1/27/2026 at 11:24:10 PM

Let's say you have a $SOCIETAL_TABOO streak and let it out via a soundcloud account that isn't identifiable as you without your email.

Now it is.

Now I can blackmail you or haunt you.

(I'm sure there's other examples, tl;dr people are deanonymized, there are uncountable reasons why people choose anonymity)

> The data in the leak (other than follower count, etc) was already available for purchase from Zoominfo, 8sense, or a variety of other data brokers or other legal marketplaces for PII.

?

by refulgentis

1/27/2026 at 10:35:43 PM

Isn't that a huge GDPR violation?

by direwolf20

1/27/2026 at 5:50:58 PM

> the impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country

by Alifatisk

1/27/2026 at 6:45:29 PM

Importantly, 20% of the total userbase it seems:

> In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country.

That's from the haveibeenpwned email which I received because of course I'm part of that 20%.

Remember to have unique passwords for each website kids, ideally with a password manager.

by embedding-shape

1/27/2026 at 7:46:06 PM

Whilst thats important advice, as far as I can tell it wouldnt help here as no passwords are breached. I had a few of our domain users on this report and as far as I can tell theres nothing actionable.

by technion

1/27/2026 at 8:05:23 PM

Also, never give out a direct email address, always an alias.

by pluralmonad

1/27/2026 at 11:13:16 PM

and include a nonce. user+SoundCloud@gmail.com is obviously guessable. user+SoundCloudheuerue64@gmail.com ain't getting guessed.

by fragmede

1/28/2026 at 12:56:42 AM

Gmail plus addressing is like the most widely known thing ever and also like the first thing checked by every scammer and hacker. It's so useless I've been using it for practically ever and spam related to brand new data breaches still has it stripped out. There have only ever been like two occasions where a spam email in my inbox didn't strip out the plus address.

Use something like Firefox Relay where it's impossible to strip out anything.

by LoganDark

1/29/2026 at 12:46:53 AM

I mean aliases provided by some service providers. Never been of fan of the + style pretend aliasing. Takes very little sophistication to extract the real email. A real forwarding alias does not expose the true email.

by pluralmonad

1/27/2026 at 6:02:50 PM

If I’m understanding correctly, it sounds like, aside from the email addresses, all the data leaked was already publicly available on users’ SoundCloud profiles. The only novel aspect is linking that public data to the accounts’ email addresses.

by loganc2342

1/27/2026 at 7:10:13 PM

That step makes a big difference though.

by jacquesm

1/27/2026 at 8:07:29 PM

Kinda sad to see a "Recommended Actions", with only sponsors, with ad copy that would be understood by HN readers but not our non-technical friends. (i.e. a simple "Nothing. No passwords have been leaked yet, only metadata" in this case)

by refulgentis

1/28/2026 at 12:39:52 AM

An email–only breach seems to cheapen the value of HIBP. It's not telling me if my password was leaked.

by direwolf20

1/28/2026 at 1:12:30 AM

Plus, the "Recommended Actions" only show me two sponsored products (1Password and Truyu) leaving me confused in what I'm supposed to do now.

by poglet

1/28/2026 at 10:59:51 AM

It's just advertising slop like any other now. No different from "your computer has a virus, buy our cleaner app"

by direwolf20

1/27/2026 at 5:53:33 PM

SoundCloud is the worst company, so hostile to former paying users! I am a hobbyist songwriter and have posted my rough mixes (Apple's Music Memo app which adds drum and bass automagically with two clicks & then mix it in Garage Band) on my SoundCloud for more then ten years. I signed up for their Artist Pro account and was a member for of such consistently for a few years at $17 a month. Once you cancel they then hold all your music hostage by hiding it and later threat to delete it. Horrid!

by throwaway431234

1/27/2026 at 6:45:30 PM

A former paying user is not a customer. If you don't pay, why should you receive service? I buy a pizza at this pizza shop every week, but I still don't get free ones.

SoundCloud is European, so most of the dark patterns used by American companies to offer "free" service are not available to them, and they are required by law to actually delete data instead of pretending to delete it.

by direwolf20

1/27/2026 at 7:50:50 PM

> I buy a pizza at this pizza shop every week, but I still don't get free ones.

Do they take the leftovers from your fridge when you stop buying?

by Scoundreller

1/27/2026 at 7:52:47 PM

The analogy was bad. You're effectively renting space in their fridge. In that case, absolutely.

by internetter

1/27/2026 at 8:20:27 PM

If I haven't bought pizza for two months, they use their magical ray, reach into my fridge and turn the leftovers into mold.

by direwolf20

1/27/2026 at 6:54:04 PM

The difference between Artist vs Pro is three hours vs unlimited uploaded music.

So if you had over three hours uploaded, it seems reasonable for them to restrict the service. If you had <= three, then it would a problem.

by hombre_fatal

1/27/2026 at 6:04:08 PM

SoundCloud used to be good prior to the redesign.

Recently I decided to evaluate it for serious use and start posting there again, only until their new uploader told me I need to switch to a paid plan, even though I triple-checked I was well within free limits and under my old now unused username I uploaded a lot more (mostly of experimental things I am not that proud of anymore).

It looks like their microservices architecture is in chaos and some system overrides the limits outlined in the docs with stricter ones. How can I be sure they respect the new limits once I do pay, instead of upselling me the next plan in line?

Adding to that things like the general jankiness or the never-ending spam from “get more fake listeners for $$$” accounts (which seem to be in an obvious symbiosis with the platform, boosting the numbers for optics), the last year’s ambiguous change in ToS allowing them to train ML systems on your work, it was enough for me to drop it. Thankfully, it was a trial run and I did not publish any pending releases.

If you still publish on SoundCloud, and you do original music (as opposed to publishing, say, DJ sets, where dealing with IP is problematic), ask yourself whether it is timr to grow up and do proper publishing!

by goblin89

1/27/2026 at 11:55:35 PM

This sounds like a classic consistency vs latency trade-off. Enforcing strict quotas across distributed services usually requires coordination that kills performance. They likely rely on asynchronous counters that drift, meaning the frontend check passes but the backend reconciliation fails later. It is surprisingly hard to solve this without making the uploader feel sluggish.

by storystarling

1/28/2026 at 1:00:23 AM

That would explain why the front-end would allow you to attempt something that goes over your limits, but not why the back-end would reject something that doesn't go over your limits.

by LoganDark

1/28/2026 at 7:12:13 AM

My bet at the time was that they have a bunch of hidden extra limits based on account age, IP/user agent information, etc. If that is true, their problem is that they advertise the larger limits instead of the smaller limits (to get more users signed up), and that they do not communicate when their extra limits apply and instead straight up upsell you, which are both dark patterns.

by goblin89

1/28/2026 at 12:10:35 PM

That sounds plausible. I've had to implement similar reputation-based limits on my own backend just to keep inference costs from exploding, so I sympathize with the fraud prevention angle. Masking that as a generic quota issue to push an upsell is pretty hostile though.

by storystarling

1/28/2026 at 12:39:01 PM

The feeling of being gaslit, when I calculated and recalculated the length of my tracks and compared it with limits on their pricing page, was quite unpleasant.

Another possibility is maybe they reduced their limits from 3 to 2 hours of audio around the same time. I don’t know if it happened before or after my experience, did not read their blogs or press releases, only made sure I was well under whatever limits were currently listed on their pricing & plans page (I was probably under 2 hours as well, but as this point can’t be bothered to check). Perhaps that transition was chaotic and for some time their left hand did not know what the right hand is doing.

by goblin89

1/28/2026 at 12:00:14 PM

Fair point. I suspect it comes down to ghost reservations or stale caches. If a previous upload failed mid-flight but didn't roll back the quota reservation immediately, the backend thinks you're over the limit until a TTL expires. Or you delete something to free up space, but the decrement hasn't propagated to the replica checking your quota yet.

by storystarling

1/28/2026 at 10:14:47 AM

Fair point. I suspect it comes down to how they handle retries. If an upload times out but the counter already incremented, the system sees the space as used until an async cleanup job runs. It is really common to have ghost usage in eventually consistent systems.

by storystarling

1/28/2026 at 12:40:10 PM

That’s a possibility.

by goblin89

1/27/2026 at 7:11:33 PM

You mean you never kept your originals but just uploaded and deleted the masters?

by jacquesm

1/28/2026 at 12:20:46 AM

Date of publication (copyright) is important to a songwriter even if there are a hobbyist.

by throwaway431234

1/28/2026 at 8:19:15 PM

That was a solved problem before the days of the internet.

by jacquesm

1/27/2026 at 6:22:53 PM

that just sounds like customer not paying for service not getting the service

by PunchyHamster

1/27/2026 at 6:26:54 PM

The service is freemium, so they had a limited account. Decided to pay for a premium account. And apparently can’t downgrade and get back what they once had.

by bestham

1/27/2026 at 8:59:29 PM

I'm just guessing, but this:

> and have posted my rough mixes [...] on my SoundCloud for more then ten years

...easily implies >3h of uploads, which is over the free plan limit. If you're over that limit and stop paying, yes, it makes perfect sense that they'd threaten with deletion of some of your existing uploads.

by input_sh

1/27/2026 at 6:31:42 PM

They first hide your songs and as time goes on they start threaten to delete your songs if you dont pay

by throwaway431234

1/27/2026 at 6:36:32 PM

What should they do instead? spend money continuously holding your music on disk forever even though you aren't paying them for the service? Sounds like they are being cool about it by keeping it around for a while and warning you before deleting it.

by colordrops

1/27/2026 at 8:44:41 PM

The marketing move of offering an unlimited plan reveals that storage and traffic are not that expensive and someone made a choice that light users will subsidize heavy users. With that, hiding your data from you and subsequently deleting it, at least without first encouraging you to download it within some post-downgrade grace period, would be a choice, not necessity, and is user-hostile.

If it is an actual necessity—a service chose to market an unlimited plan to attract more users, and then realized they are losing money on storage and traffic so much that they would unapologetically burn bridges with existing users who showed themselves as willing to pay (who maybe needed to downgrade temporarily for whatever reason) with the above move—and yet their strategy is apparently to keep offering that plan (in hopes to turn things around with more light users joining?), I would question whether that service has serious issues with even medium term planning.

by goblin89

1/27/2026 at 10:41:49 PM

No matter their actual costs to provide the service, I'm struggling to see why they should not immediately delete all of your stored files upon cancellation of the storage service.

They are a European company, so you are the customer, not the product and recipient of subsidies. They use less manipulation and dark patterns than an equivalent American company.

You pay, you get service. You don't pay, you don't get service. If they can't bill you, they should try to communicate with you for a few months before treating it as a cancellation. If you cancel, then your choice is clear and you should expect your service to be immediately terminated at the end of the current billing period. If their service is storing files for you, termination of the service means deletion of the files.

There is no need for a grace period when you knowingly and voluntarily make the decision to terminate a file storage service.

by direwolf20

1/28/2026 at 7:07:04 AM

> you are the customer, not the product and recipient of subsidies

They also do advertisement (promoted tracks and audio ads) but this is irrelevant to my point, what I described applies regardless, including the fact that heavy users of the unlimited plan and free users definitely receive subsidies, both from light users and from ad revenue of the platform.

> You pay, you get service. You don't pay, you don't get service

The definition of the service you receive and how good it is includes what happens when you decide to off-ramp from receiving it. Changing your service plan is your indication that you want to change service, what happens after that is how they handle it. There is no stipulation whatsoever that things stop being available to you immediately.

In fact, in case of SoundCloud, they themselves prove this, because they did not delete data but instead continued to keep data for free, which means providing you a service that you presumably stopped paying for. The silly move of them was to do that and not allow you to download it, and then emailing the victim urging them to pay to access this data, which makes it 100% a dark pattern and means they are effectively blackmailing customers with proven ability and willingness to pay.

If I remember right, Apple (an American company) handles it better and gives you a month to download excess data if you downgrade, but sure, “dark patterns”.

> There is no need for a grace period when you knowingly and voluntarily make the decision to terminate a file storage service.

If you terminate your use of a file storage service, you would expect your personal data to be deleted. However, no one terminated their use of a service, somebody apparently downgraded their payment plan (temporarily or not).

by goblin89

1/29/2026 at 1:08:30 PM

Sounds like they will warn you about your storage limit for a while, so you can choose which data to delete to be under the limit, before deleting your data at random to force you under the limit. Quite reasonable.

by direwolf20

1/29/2026 at 2:21:28 PM

You mean Apple? I don’t think they actually delete any minor excess data that may occur incidentally due to race condition or eventual consistency. Just if you actually downgrade, they do… After a month or so, during which you can still download.

by goblin89

1/27/2026 at 10:24:55 PM

As a listener I'd pay (a reasonable amount like <$5 per month) to only listen to mixes, especially if it can be filtered by bitrate.

Their best feature is social feed - I only see reposts from people I follow. But for branching out / discovery might be cool to see what their feed looks like, so something like "show followees feed".

by dzhiurgis

1/27/2026 at 9:34:29 PM

Overall what Im saying is they treat their non-paying customers better then their paying ones. Once I was a paying customer after having and using my free account for over 7 years then converting to a paying customer and having to cancel Soundcloud became hostile.

by throwaway431234

1/27/2026 at 10:43:36 PM

Did you have more stored data than the limit for stored data for unpaid accounts?

by direwolf20

1/27/2026 at 10:15:47 PM

I'd pay for Soundcloud, but not sure what I'd get for over free version. It costs more than Apple Music and offering offline nowadays is lol feature.

by dzhiurgis

1/27/2026 at 6:03:51 PM

You can export your entire profile using yt-dlp. Of course you have to do it, when you are still a paying customer.

by crazybonkersai

1/28/2026 at 12:30:48 AM

Do this regularly, like youtube soundclownd ‘silent’ deletes favorites and also blocks songs based on your vpn/geo location. I lost so much music… so i need to resort to scraping. Simple solution: make the song unavailable but please just keep the entry (name-title) in your fav. list.

by thenthenthen

1/27/2026 at 6:57:33 PM

Why would someone that writes their own songs, mixes in GarageBand, uploads to a 3rd party website need to use yt-dlp to get back the files that they themselves made?

Yes, I'm intentionally victim blaming here. The victim is complaining about a 3rd party site deleting files. Who cares? Why would you have as your only source of your files the copies stored by the 3rd party?

by dylan604

1/27/2026 at 8:50:36 PM

You get a point there, but export is mostly about metadata, eg images and description.

Data loss happens too. Soundcloud may be your only source of your own tracks.

by crazybonkersai

1/28/2026 at 12:20:12 AM

Date of publication (copyright) is important to a songwriter. Soundcloud im sure knows this! Probably should have said this from the top!

by throwaway431234

1/27/2026 at 7:20:14 PM

Not only that, the victim is complaining about a paid file storage company deleting the files when the victim stops paying

by direwolf20

1/27/2026 at 6:16:40 PM

Are there any alternatives?

by gmueckl

1/27/2026 at 6:27:41 PM

Isn't everyone on YouTube or Bandcamp now for this use case?

by dewey

1/27/2026 at 6:55:44 PM

YouTube is the domain of Satan, also the name is hilarious - you tube? really? I don't tube thaanks

by alexalx666

2/3/2026 at 2:58:35 AM

It's YouTube, not MeTube, so you can use it as you want and I'll stay away.

by efreak

1/27/2026 at 7:30:15 PM

A lot of "rap gods" are about to be exposed as "Kevin" from suburbia.

by TechSquidTV

1/27/2026 at 7:34:57 PM

Lil B is probably fine, but he is the biggest name I recall coming out of SoundCloud. He blew up all over the 2010s, he was the Kanye of Cloudrap too because he took dressing styles and changed it all up similar to Kanye.

by giancarlostoro

1/27/2026 at 7:55:30 PM

Shout out to lil b and those parties at Berkeley he would perform at in ‘12, ‘13.

Those were the golden sound cloud years.

by sam1r

1/27/2026 at 11:33:59 PM

I was big on tumblr, but he wasn't my style of rap, but I respect him for what he was able to pull off.

by giancarlostoro

1/27/2026 at 8:27:32 PM

There's a few big names: Post Malone, Billie Eilish, Lil Nas X, Khalid, Bad Bunny

by gnabgib

1/27/2026 at 9:31:09 PM

Thankfully the only artist I listen to on there has been known as Bryce from the suberbs for two decades:

https://soundcloud.com/ytcracker

by ddtaylor

1/27/2026 at 10:38:32 PM

Glad that I removed my SoundCloud account right on time.

I think it’s only a matter of time before a service gets breached.

It's best to use unique random username, email, and password for every online account. Also, providing only the bare minimum of data and faking as much as possible is helpful in cases of data breaches.

by nalekberov

1/27/2026 at 9:34:48 PM

So I guess I should watch out for scams being sent to "soundcloud@" on a personal domain. Oh no, how will I distinguish them from my legitimate banking email???

by fencepost

1/27/2026 at 10:02:05 PM

Clever spammers (there are some!) see the presence of company@<domain> and assume the user will have similar emails for other accounts, so it might be worth trying ebays scams to ebay@<domain> or banking scams to chase@<domain> or boa@<domain>. Sending is cheap so why not, you're not trying to fool everyone, only a few.

I use a unique string per company but it's not guessable in advance, but it's obvious when looking at it and squinting a bit, for example (and these are not the exact ones I use): sundclod@<domain> or ebuy@<domain> or amzoon@<domain>

Sure I have to remember them but it's easy for me to check and my password manager is filling them in for me 99.99% of the time.

I can filter on those emails instead, and I also know that anything coming to soundcloud@<domain> or ebay@<domain> or amazon@<domain> is definitely spam as I've never used those addresses myself.

If sundclod@<domain> appears in a leak I can (hopefully) change my account email at Soundcloud to sondclud@<domain> and then confine sundclod@<domain> to /dev/null

by alexfoo

1/28/2026 at 9:23:26 PM

I have three different generations of email addresses associated with United Airlines that all receive spam. Never any disclosed breaches AFAIK, but clearly email addresses got out at several points. At some point I stopped bothering to check.

As for Soundcloud, the password I had saved for it and a tiny bit of profile information tells me a lot - a manually created password saved into a password manager, probably in 2010 or 2011 and unused after grabbing a single track.

Addresses for services I actually care about also get what's basically peppering, and have all had updates much more recently than the days of Blackberry devices.

by fencepost

1/28/2026 at 10:00:47 PM

Has this happened to you before?

I can't imagine anyone spamming in such low quantities that they'll notice a pattern like company@<domain> and act on it.

I have regularly gotten spam emails without a to, cc, or bcc field though. So I can't tell which email they were sent to. (my host doesn't bounce/drop them for some reason)

I do regularly do misspellings of the company name though, since that often trips the "invalid email" check on signup. e.g. twitter.

by extraduder_ire

1/27/2026 at 10:37:26 PM

For the more shady sites, I use first names or fake usernames.

by direwolf20

1/27/2026 at 10:02:48 PM

We are the minority of users that had enough foresight to do this. I'd bet that _most_ people on this breach don't even know about the plus/dot trick with gmail (and I am sure other providers, too).

by baby_souffle

1/28/2026 at 5:01:19 AM

Oh nice. Maybe I can finally recover (and finally shut down) my old account I accidentally locked myself out of.

by CaptainWeekend

1/28/2026 at 2:45:17 AM

making mountains out of mole hills. this type of panic is really common in the infosec world.

by snorbleck

1/28/2026 at 4:08:16 AM

How so? I tend to disagree with the general statement that this is common in the infosec world, but I'd like to understand better what you mean by that.

by doodlesdev

1/28/2026 at 6:25:44 AM

Impact in this case, is non-existent (Wow they got my email)

> I'd like to understand better what you mean by that.

Recall there was a period where every CPU sidechannel attack had a dedicated (wow) website and a rock band name assigned to it (when in reality their impact again, was/is limited).

by vachina

1/27/2026 at 7:34:25 PM

all this leaked data pretty much used for one objective now: stealing crypto

by paulpauper

1/27/2026 at 8:08:57 PM

By aggregating breach data by email, this tool inadvertently exposes users's full web history, including sensitive sites like crypto/adult/dating platforms, to anyone who knows their address

Fun

by WhereIsTheTruth

1/27/2026 at 8:47:51 PM

From the FAQ [1]:

What is a "sensitive breach"?

HIBP enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone's presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as "sensitive" and may not be publicly searched.

A sensitive data breach can only be searched by the verified owner of the email address being searched for. This is done by signing in to the dashboard which involves verifying you can receive an email to the entered address. Once signed in, all breaches (including sensitive ones) are visible in the "Breaches" section under "Personal".

There are presently 82 sensitive breaches in the system including Adult FriendFinder (2015), Adult FriendFinder (2016), Adult-FanFiction.Org, Ashley Madison, Beautiful People, Bestialitysextaboo, Brazzers, BudTrader, Carding Mafia (December 2021), Carding Mafia (March 2021), Catwatchful, CityJerks, Cocospy, Color Dating, CrimeAgency vBulletin Hacks, CTARS, CyberServe, Date Hot Brunettes, DC Health Link, Doxbin and 62 more.

[1] https://haveibeenpwned.com/FAQs#SensitiveBreach

by rocky_raccoon

1/28/2026 at 7:05:14 AM

You don't get to gatekeep what counts as "sensitive", all of my privacy is non-negotiable

by WhereIsTheTruth

1/27/2026 at 10:44:45 PM

> Bestialitysextaboo

I laughed pretty hard

by direwolf20

1/28/2026 at 3:02:43 PM

[dead]

by jeremyken708