If you've ever used Soundcloud to upload music, chances are you've used the private track feature to store or share work in progress tracks, but what if I told you these weren't actually private and anyone could easily access them?
Sometime in 2022 Soundcloud started using a link shortener when sharing tracks, allowing users to create much shorter links for their songs, while also giving Soundcloud valuable tracking data when clicked. These links were automatically created if the track was shared through the mobile app, while on the website version the shortener was an optional choice when sharing. If you shared a song using it, you would get a link that looks just like this: https://on.soundcloud.com/abNh7KXDBGSNQtix6
Initially these links were much shorter, with the random string having only 5 characters, which provides around 900 million possible combinations, and it didn't take long for people to realize these links could be bruteforced to gain access to any private tracks shared through this link shortener.
At first these links were only bruteforced privately by a few select users, but it didn't take long for tools allowing this to be shared publicly, with the first tool being shared on Github in October of 2023. Shortly after this, Soundcloud seemingly realized these links were being bruteforced and decided to fully switch to 17 character long strings for the shortener, but this wasn't the end of the leak, as over 20 million private tracks were already shared using the shortener, with all of these links still working for many months to come.
With many more people gaining access to these tools, some of these tracks slowly started leaking not long after, with some of these leaks being devastating to the artists involved. For example, the singer EDEN had his entire upcoming album leaked due to this. And it wasn't only individual artists affected by these leaks, the list of bruteforced tracks also included labels such as Ninja Tune, Run For Cover Records, Terrible Records, with these labels uploading upcoming projects months before their release.
In October 2024 Soundcloud finally reset all private links leaked through the shortener, informing users that it's due to an update to the website, without any acknowledgement of the leak.
Interestingly enough this wasn't the first time private Soundcloud tracks were bruteforced. Just a few years ago private track share IDs also used to be much shorter, allowing users to bruteforce them if they managed to guess the track link.
With the site having multiple leaks like this in the past, it's up for the artists to decide if they should keep using Soundcloud to store their private tracks, as this might not be the last time a leak like this happens.