SoundCloud bounces some VPNs as it cleans up cyberattack • The Register

Music hosting and streaming service SoundCloud has admitted it suffered a cyberattack.

“SoundCloud recently detected unauthorized activity in an ancillary service dashboard,” opens a Monday post from the company. “Upon making this discovery, we immediately activated our incident response protocols and promptly contained the activity. We also engaged leading third-party cybersecurity experts to assist in a thorough investigation and response.”

Not long after SoundCloud and its hired help contained the incident, the site became the subject of multiple denial of service attacks.

Two of those unwelcome traffic torrents “were able to temporarily disable our platform’s availability on the web only,” the company’s post states.

SoundCloud repelled the DDOS attacks, investigated the matter and learned “a purported threat actor group accessed certain limited data that we hold.” SoundCloud says none of the data was sensitive – which it defines as financial or password data – and that attackers were able to access “only … email addresses and information already visible on public SoundCloud profiles.” The company also said the incident only impacted 20 percent of users, which is cold comfort to the 26 million or so folk whose data was slurped by the attackers, per Business of Apps’ estimate that SoundCloud had 132 million users last year.

SoundCloud’s post contains some clues about the incident, in the form of info about its remediation efforts, which include “enhancing our monitoring and threat-detection, reviewing and reinforcing identity and access controls and conducting a comprehensive audit of related systems.”

That suggests the threat actor may have accessed SoundCloud systems – perhaps through the “ancillary service dashboard” – and rummaged through a trove of data that’s also present in users’ public profiles, an outcome that’s consistent with the many warnings The Register has reported regarding credential theft as an increasingly common precursor to attacks.

Whatever went wrong at SoundCloud, the company made some configuration changes to its systems and says they “caused some users on VPNs to experience temporary connectivity issues.”

Those issues led some to assume SoundCloud had started blocking VPNs, which would be quite an odd thing to do given the site promotes itself as a frictionless community connecting musicians to fans.

It turns out those assumptions were wrong.

“We are actively working to resolve these VPN-related access issues,” SoundCloud’s post states. ®