SongTrivia2 Music Trivia Platform Breach Exposes 291k User Accounts and Password Hashes
What Happened – In April 2026 the online music‑trivia service SongTrivia2 suffered a data breach that was later posted on a public hacking forum. The leak contains 291,739 unique email addresses, usernames, avatars, and bcrypt‑hashed passwords, as well as authentication tokens and personal names.
Why It Matters for TPRM –
- Credential data from a consumer‑facing SaaS vendor can be leveraged in credential‑stuffing attacks against partner services.
- Exposure of OAuth tokens indicates potential misuse of third‑party authentication flows, raising supply‑chain risk.
- The breach demonstrates the need for continuous monitoring of vendor security posture, especially for platforms handling user‑generated content.
Who Is Affected – Media & Entertainment (online gaming/trivia), consumer SaaS providers, any downstream services that accept SongTrivia2 OAuth tokens.
Recommended Actions –
- Review SongTrivia2’s security controls and OAuth implementation before continuing integration.
- Require affected users to reset passwords and enable MFA on any linked accounts.
- Add SongTrivia2 to your vendor risk monitoring list and schedule a formal security questionnaire.
Technical Notes – The breach appears to be a credential compromise; the exact attack vector was not disclosed (likely a server‑side data extraction or insecure storage). Compromised data includes email addresses, usernames, avatars, bcrypt password hashes, and auth tokens. Source: Have I Been Pwned – SongTrivia2 breach