Pandora, the SiriusXM-owned music streaming service, was caught up in a broader supply chain attack targeting Salesforce in October 2025. A threat group calling itself "Scattered LAPSUS$ Hunters" claimed responsibility and released a sample of stolen data on October 3, 2025, announcing that the full dataset would follow on October 10, 2025. Pandora was one of approximately 39 organizations listed on the group's dark web leak site as part of the same campaign. The breach affected an estimated 8.9 million records. The exposed data includes customer names, email addresses, phone numbers, and home addresses, along with account metadata from Salesforce's CRM platform. This combination of contact details creates clear pathways for phishing attacks, where criminals craft convincing messages impersonating Pandora or SiriusXM, as well as for account takeover attempts and physical mail fraud. Because the data originates from a music platform, it may also carry behavioral signals, such as subscription history and usage patterns, that can be used to build detailed profiles of affected individuals. Pandora has not issued detailed public statements about its specific exposure or response to the incident. No regulatory action has been publicly announced. Affected individuals should treat unexpected emails or calls referencing their Pandora account with suspicion, consider placing a fraud alert with credit bureaus, and monitor for any unauthorized account activity.

Streaming services collect user accounts, emails, subscription data, listening history, device identifiers, and ad or recommendation signals across music-delivery platforms.

Pandora has operated under SiriusXM's ownership with continued investment in its personalized radio and on-demand streaming products. SiriusXM has been managing subscriber and revenue dynamics across its combined satellite and streaming portfolio. No major standalone Pandora organizational developments beyond the breach have been prominently reported in the recent period.