291,000 users affected by a claimed leak at SongTrivia2.io
In April 2026, the music trivia game platform SongTrivia2 suffered a data breach published to a public hacking forum, exposing roughly 291,000 user accounts including email addresses, names, usernames, avatars, auth tokens and bcrypt password hashes.
- Victim
- SongTrivia2.io
- records
- 291.7K
On 3 April 2026, SongTrivia2 β an online music trivia game where players guess songs and compete against one another β was reported to have suffered a data breach after its database was published on a public cybercrime forum by a threat actor going by "punk". The data was loaded into Have I Been Pwned on 4 April 2026, with the breach itself dated to April 2026.
The leaked database held approximately 291,000 unique accounts (cited precisely as 291,739). It covered both users who registered directly on the site and those who signed in via Google OAuth; directly created accounts also included passwords stored as bcrypt hashes.
Exposed data categories included:
- Email addresses
- Names and usernames
- Avatars
- Authentication tokens
- Passwords (bcrypt hashes, for directly created accounts)
The breach appears to be a straightforward database exfiltration later traded on a hacking forum. SongTrivia2 has not publicly detailed the root cause or any remediation measures, so the status remains unknown.
Sources
- fuitesinfos.frhttps://fuitesinfos.fr/article/2026-04-03-songtrivia2-io
- haveibeenpwned.comhttps://haveibeenpwned.com/Breach/SongTrivia2
- redpacketsecurity.comhttps://www.redpacketsecurity.com/songtrivia2-291-739-breached-accounts/