"The data involved consisted only of email addresses and information already visible on public SoundCloud profiles".

So they've scraped public data. Why care?

> email addresses

Aren't on public SoundCloud profiles.

Email addresses are not visible on public soundcloud profiles. You can test this yourself.

I read the statement to be "emails plus public information"

Yeah or this: https://news.ycombinator.com/item?id=26386418

SoundCloud is a weird place, people in entertainment have certain strong incentives. They figured out who I am, figured out all the email addresses I have, jacked the account attached to my SoundCloud, stole my account. I still to this day, don't know how they pwned my email (tfa was on but it didn't trigger suspicious activity it let them login without triggering it, no clue how they got the password either and the password is secure enough that it's too hard to brute force, and it's not in a pwned db). Based on what was in my soundcloud inbox when I got access again, someone paid a fair amount to have this done... and now I have to go change my email again I suppose.

Organized crime stealing usernames was apparently a thing for a few years back there, interesting it wasn't limited to Twitter.

You are 100% correct based on article. Not good that you're gray, and your parent of "who cares it was already available and scraped" is the top comment.

But, why care? (Yes, we can “care” that there was a leak - but… why worry? what new risk exists today that didn’t yesterday?)

The data in the leak (other than follower count, etc) was already available for purchase from Zoominfo, 8sense, or a variety of other data brokers or other legal marketplaces for PII.

I suppose the risk now is that the data is freely available and no longer behind a data broker’s paywall?

I'm confused, where were scrapers/data brokers/Zoominfo etc. were getting email addresses for SoundCloud accounts?

They don’t. I’m confused why that info is valuable.

People pitching scammy “I can make you famous” services to aspiring musicians. Happens all the time, there’s a whole industry dedicated to it.

Let's say you have a $SOCIETAL_TABOO streak and let it out via a soundcloud account that isn't identifiable as you without your email.

Now it is.

Now I can blackmail you or haunt you.

(I'm sure there's other examples, tl;dr people are deanonymized, there are uncountable reasons why people choose anonymity)

> The data in the leak (other than follower count, etc) was already available for purchase from Zoominfo, 8sense, or a variety of other data brokers or other legal marketplaces for PII.

?

Isn't that a huge GDPR violation?

Overlooked in the (excellent) article and interesting for cracking bcrypt passwords: FPGAs, see e.g. <https://scatteredsecrets.medium.com/bcrypt-password-cracking...>.

Seems that bcrypt, scrypt and Argon2 are all designed to slowdown attacks on specific hardware platforms. All run relatively slow on GPUs so they all work. The blog covers how to overcome this using FPGAs, specifically for bcrypt. The same might also work against scrypt and Argon2 if configured parameters are in favor of FPGAs. If parameters exceed the specs of FPGAs, they will be slow as well. So depends on the configuration of the algorithm.

I guess he's feeling the heat of sites that do more than parsing emails from SPAM lists. These sites include full cracked passwords, HIBP 2.0, see e.g. https://scatteredsecrets.com/.