SoundCloud has confirmed a cyberattack on its platform after days of user complaints about service disruptions and connectivity problems. In what is being reported as a SoundCloud cyberattack, threat actors gained unauthorized access to one of its systems and exfiltrated a limited set of user data. “SoundCloud recently detected unauthorized activity in an ancillary service dashboard,” the company said. “Upon making this discovery, we immediately activated our incident response protocols and promptly contained the activity.”  Reports of trouble began circulating over several days, with users reporting that they were unable to connect to SoundCloud or experiencing access issues when using VPNs. After the disruptions persisted, the company issued a public statement on its website acknowledging the SoundCloud cyberattack incident. 

DoS Follows Initial SoundCloud Cyberattack

According to the music hosting service provider, the SoundCloud cyberattack was followed by a wave of denial-of-service attacks that further disrupted access to the platform. The company said it experienced multiple DoS incidents after the breach was contained, two of which were severe enough to take the website offline and prevent users from accessing the service altogether.  SoundCloud stated that it was ultimately able to repel the attacks, but the interruptions were enough to draw widespread attention from users and the broader technology community. These events highlighted the cascading impact of a cyberattack on SoundCloud, where an initial security compromise was compounded by availability-focused attacks designed to overwhelm the platform. 

Scope of Exposed Data and User Impact 

While the SoundCloud cyberattack raised immediate concerns about user privacy, the company stresses that the exposed data was limited. SoundCloud said its investigation found no evidence that sensitive information had been accessed.  “We understand that a purported threat actor group accessed certain limited data that we hold,” the company said. “We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed.”  Instead, the data involved consisted of email addresses and information already visible on public SoundCloud profiles. According to the company, approximately 20 percent of SoundCloud users were affected by the breach.   Although SoundCloud described the data as non-sensitive, the scale of the exposure is notable. Email addresses can still be leveraged in phishing campaigns or social engineering attacks, even when other personal details remain secure.  SoundCloud added that it is confident the attackers’ access has been fully shut down. “We are confident that any access to SoundCloud data has been curtailed,” the company said. 

Security Response and Ongoing Connectivity Issues 

The company did not attribute the SoundCloud cyberattack to a specific hacking group but confirmed that it is working with third-party cybersecurity experts and has fully engaged its incident response protocols. As part of its remediation efforts, the company said it has enhanced monitoring and threat detection, reviewed and reinforced identity and access controls, and conducted a comprehensive audit of related systems.  Some of these security upgrades had unintended consequences. SoundCloud acknowledged that changes made to strengthen its defenses contributed to the VPN connectivity issues reported by users in recent days.  “We are actively working to resolve these VPN related access issues,” the company said. 

Hacktivist attacks on critical infrastructure doubled over the course of the third quarter, according to a new Cyble report. Hacktivist attacks on industrial control systems (ICS) grew throughout the third quarter and made up 25% of all hacktivist attacks by September, Cyble wrote in a blog post. “If that trend continues, it would represent a near-doubling of attacks on industrial control systems (ICS) from the second quarter of 2025,” Cyble said. The report follows a Canadian Centre for Cyber Security warning last week that hacktivists are targeting critical infrastructure in that country.

Hacktivist Attacks on Critical Infrastructure Led by Russia-linked Groups

Cyble said DDoS attacks and website defacements still account for most hacktivist activity, but the ideologically-motivated threat groups are increasingly turning their focus toward ICS attacks, data breaches, unauthorized access, and ransomware. Z-Pentest has been the leading hacktivist group targeting ICS infrastructure, but the threat group has also been joined by Dark Engine (also known as the Infrastructure Destruction Squad), Golden Falcon Team, INTEID, S4uD1Pwnz, and Sector 16. “Russia-aligned hacktivist groups INTEID, Dark Engine, Sector 16, and Z-Pentest were responsible for the majority of recent ICS attacks, primarily targeting Energy & Utilities, Manufacturing, and Agriculture sectors across Europe,” Cyble said. “Their campaigns focused on disrupting industrial and critical infrastructure in Ukraine, EU and NATO member states.” Among Z-Pentest’s targets in the third quarter were a water utility HMI system in the U.S. and an agricultural biotechnology SCADA system in Taiwan. The group frequently posts videos of its members tampering with ICS controls, and may have been one of the groups the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was referring to in a warning about critical infrastructure tampering attacks earlier this year.

Most Active Hacktivist Groups

NoName057(16) remains the most active hacktivist group despite attempts by law enforcement to disrupt its operations, Cyble said. Z-Pentest and Hezi Rash increased their share of attacks in the third quarter, the threat intelligence company said. Special Forces of the Electronic Army, Jokeir_07x and BL4CK CYB3R all lost ground in the quarter, while newcomers like Red Wolf Cyber Team and INTEID increased their share of hacktivist activity in the quarter. One of the more noteworthy incidents in the quarter involved the Belarusian group Cyber Partisans BY, which joined with Silent Crow to claim a cyberattack on Russian state airline Aeroflot. The attackers disrupted key systems, exfiltrated more than 22TB of data, and claimed to have destroyed about 7,000 servers, Cyble said. In another noteworthy hacktivist attack, the Ukrainian Cyber Alliance and BO Team claimed a breach of a Russian manufacturer involved in military drone production, stealing engineering blueprints, VMware snapshots, storage mappings, and CCTV footage from UAV assembly facilities. The groups said they wiped servers, backups, and cloud environments after they exfiltrated data.

Hacktivism and Geopolitical Conflict

Geopolitical conflict “remains a primary motive in hacktivist campaigns,” Cyble said. The Thailand–Cambodia border conflict, the India–Pakistan and India-Bangladesh rivalries, Middle East conflicts – including the Israel–Hamas war and the Israel-Iran and Houthi–Saudi Arabian conflicts – the Russia–Ukraine war and domestic unrest in the Philippines were some of the major conflicts driving hacktivism across the globe. Ukraine was the leading target of hacktivist campaigns in the third quarter, Cyble said (chart below). [caption id="attachment_106494" align="aligncenter" width="624"] Most attacked countries by hacktivist groups (Cyble)[/caption] “The growing sophistication of the leading hacktivist groups is by now an established trend and will likely continue to spread to other groups over time,” Cyble said. “That means that exposed environments in critical sectors can expect further compromise by hacktivist groups, advanced persistent threats (APTs), and others known to target critical infrastructure.”