Free YouTube Music accounts are now seeing their access to lyrics limited, according to multiple reports. Google started testing lyrics as an exclusive feature for Premium users in September, but it appears that it’s now receiving a wider rollout. It seems that free users will be limited to viewing lyrics for five songs per month, though we’ve reached out to Google for confirmation.

Once that limit is reached, users will only be able to see the first couple of lines. Everything beyond that will be blurred out, and they’ll be prompted to “Unlock lyrics with Premium.” The banner warning users about their limited lyric views remaining appears prominently when you open the tab, complete with a countdown.

Hackers have exposed personal and contact information tied to SoundCloud accounts, with data breach notification service Have I Been Pwned reporting impacts to approximately 29.8 million users. The breach hit one of the world’s largest audio platforms and left many users locked out with error messages before the company confirmed the incident.

Founded in 2007, SoundCloud grew into an artist-first service hosting more than 400 million tracks from over 40 million creators. That scale made this incident especially concerning. SoundCloud said it detected unauthorized activity tied to an internal service dashboard and launched its incident response process. At the time, users reported 403 Forbidden errors, especially when connecting through VPNs.

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter

149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIAL LEAK

What data was exposed in the SoundCloud breach

SoundCloud initially said attackers accessed limited data and did not touch passwords or financial information. The company said the exposed information matched what users already show publicly on profiles.

Later disclosures painted a much bigger picture.

According to Have I Been Pwned, attackers harvested data from approximately 29.8 million accounts. That data included:

• Email addresses
• Usernames and display names
• Profile photos and avatars
• Follower and following counts
• Geographic locations, in some cases

While no passwords were taken, linking emails to public profiles creates real risk. That combination fuels phishing, impersonation and targeted scams.

Who is behind the attack

Security researchers tied the breach to ShinyHunters, a well-known extortion gang. Sources told BleepingComputer that the group attempted to extort SoundCloud following the data breach. SoundCloud later confirmed those claims. In a January update, the company said attackers made demands and launched email-flooding campaigns to harass users, employees and partners. ShinyHunters has also claimed responsibility for recent voice phishing attacks targeting single sign-on systems at Okta, Microsoft and Google. Those attacks targeted corporate SaaS accounts to steal data and extort.

Why this breach matters even without passwords

At first glance, this may sound less serious than breaches involving passwords or credit cards. That assumption can be dangerous. Email addresses tied to real profiles allow scammers to craft convincing messages. They can pose as SoundCloud, brands or even other creators. With follower counts and usernames, messages feel personal and believable. Once attackers gain trust, they push links, malware or fake login pages. That is often how larger account takeovers begin.

What SoundCloud users should expect next

SoundCloud has not said whether more details will be released. The company did confirm the attack and the extortion attempt, but it has not answered follow-up questions about the scope or internal controls. For users, the long-term risk comes from how widely this dataset spreads. Once published, exposed data rarely disappears. It circulates across forums, marketplaces and scam networks for years.

We reached out to SoundCloud for comment, and a representative told us, “We are aware that a threat actor group has published data online allegedly taken from our organization. Please know that our security team—supported by leading third-party cybersecurity experts—is actively reviewing the claim and published data.”

SoundCloud has said it has found no evidence that sensitive data, such as passwords or financial information, was accessed.

Ways to stay safe after the SoundCloud breach

If you have or had a SoundCloud account, now is the time to act. Even limited data exposure can lead to targeted scams if you ignore it.

1) Watch for phishing and impersonation emails

Scammers often move fast after a breach. Watch your inbox for messages that mention SoundCloud, music uploads, copyright issues or account warnings. Do not click links or open attachments from unexpected emails. When in doubt, go directly to the official website instead of using email links. Strong antivirus software adds another layer of protection here.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com

2) Change your SoundCloud password anyway

Passwords were not exposed, but changing them is still smart. Create a new password that you do not use anywhere else. If remembering passwords feels impossible, consider using a password manager to generate and securely store strong passwords. This reduces the risk of reuse across platforms.

Next, see if your email has been exposed in past breaches. Our #1 password manager (see Cyberguy.com) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com

3) Turn on two-factor authentication

Two-factor authentication (2FA) adds a critical barrier if someone tries to access your account. Even if attackers guess or obtain a password later, they still need a second verification step. Enable 2FA anywhere SoundCloud or connected services offer it.

4) Lock down your email account 

Your email is the real target after most breaches. If someone gains access to it, they can reset passwords everywhere else. Use a strong, unique password for your email account and turn on two-factor authentication. Review recovery emails and phone numbers to make sure they still belong to you.

DATA BREACH EXPOSES 400,000 BANK CUSTOMERS’ INFO

5) Reduce your online data footprint

Attackers use breached emails to search data broker sites and social platforms for more details. The less data available, the harder you are to target. Consider a data removal service to limit how often your email and personal details appear across the web.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com

6) Check your other accounts for suspicious activity

Attackers often reuse exposed email addresses to test logins across streaming services, social media and shopping accounts. Watch for password reset emails you did not request or login alerts from unfamiliar locations. If something looks off, act fast.

Kurt’s key takeaways

Data breaches no longer stay contained to one app or one moment in time. Even when attackers expose information that looks harmless, the fallout can last much longer. The SoundCloud breach shows how public profile data paired with private contact details creates real exposure. Staying alert, limiting data sharing and using strong security habits remain your best defense as breaches continue to escalate.

Have you checked which old or forgotten accounts still expose your email and could be putting you at risk right now? Let us know your thoughts by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter 

Copyright 2026 CyberGuy.com.  All rights reserved.

After what can generously be called a contentious tenure as the CEO of The Washington Post, Will Lewis is stepping down following mass layoffs this week. Jeff D’Onofrio, former CEO of Tumblr from 2017 to 2022, will step in as acting CEO and publisher. D’Onofrio has been CFO at the Post since June of last year, meaning he’s had a front row seat to Jeff Bezos’ dismantling of the once storied paper for the last nine months.

D’Onofrio’s resume doesn’t include extensive experience in traditional news media, nor many notable success stories. He was briefly the general manager of Yahoo News while it was still a Verizon property, before shifting his focus solely to Tumblr. Under his leadership, Tumblr tried to clean up its image by banning adult content, but its traffic fell by 30 percent. Yahoo had purchased Tumblr for $1.1 billion in 2013. By 2019, it was sold to Automatic, the owner of WordPress, reportedly for less than $3 million.