7 Sources
[1]
Hack suggests AI music generator Suno scraped YouTube for training data
The AI music generator Suno was hacked, according to a report from 404 Media. The hacker told the publication that they used a supply chain attack to access an employee's credentials, allowing them to then access source code showing how Suno allegedly scraped decades of audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds. Suno previously admitted that it trains its AI on "publicly available music files" on the open internet, arguing that it can train on copyrighted material under the fair use doctrine, a subjective carve out of copyright law. But according to the major record labels actively suing Suno, it is illegal under the Digital Millennium Copyright Act (DMCA) to deliberately circumvent YouTube's protections against data scraping; it also violates YouTube's terms of service. Udio, a competitor to Suno, has also been accused of scraping YouTube data. Google, the parent company of YouTube, faces similar allegations of copyright infringement from a variety of major book publishers. The hacker reportedly accessed customer data including customer emails, phone numbers, and partial credit card numbers in Stripe. Suno did not notify customers about the November 2025 breach and claims that this was a "limited security incident that was quickly contained."
[2]
Source Code Hack Reveals Suno's AI Was Trained on Millions of YouTube Songs
Musicians, streaming services and record labels have been claiming for years that AI music services use their vast collections of human-created music to build their artificial intelligence tools. Now we have a clearer picture of how Suno, an AI company that helps people create AI audio clips and songs, created its music. A hack of Suno's source code reveals that it trained its AI by scraping massive amounts of music and lyrics from platforms like YouTube Music, Deezer, Genius and stock music libraries, 404 Media reported Wednesday. The hacker, who goes by the moniker ellie.191, used a supply chain attack vector in November 2025. Screenshots and information shared with 404 Media confirm some of the origins of the company's training data from 2023 and 2024. One file shows that, at the time it was last opened, there were over 2 million clips in a folder called "youtube_music." Other files contain over 17,000 hours of music from Genius HQ, more than 12,000 hours from streaming service Deezer and more than 62,000 hours from a Shutterstock-owned stock music site called Pond5. The hacker was also able to access customer records and payment details kept by Suno's payment vendor, Stripe, 404 Media reports. A Suno spokesperson told CNET that the company immediately investigated the breach and found it "primarily involved outdated source code that is no longer in use at Suno and that no sensitive personal information was compromised." The company also denies it has access to customers' full credit card numbers and concluded that, under current privacy laws, it did not need to notify individual users. Pulling back the curtain on AI-generated music With a new trend of people creating songs from their text message exchanges, you may have heard of some of Suno's AI-generated songs on social media. As sites like Suno gain popularity, it's important to know how they operate. Even though the source code shown in the hack isn't in use anymore, it's a unique peek into the black boxes tech companies guard as they build generative AI. It also seemingly validates many of the allegations in the copyright infringement lawsuits brought against Suno. A trade association representing the biggest record labels, including Universal Music Group, Sony Music Entertainment and Warner Music Group, claims in an ongoing lawsuit that Suno's use of its artists' songs, without consent or proper licensing, violates their copyright protections. Like other AI companies, Suno is claiming its use of original material as training data is legal under the fair use doctrine in copyright law. Anthropic and Meta won similar lawsuits brought by authors claiming infringement last summer. A source close to the litigation told CNET that the company doesn't consider the information in 404 Media's story "materially new" since it has disclosed its training methods in a public filing and on a page on its website. "Suno's music generative AI models are trained on publicly available music files and related metadata accessible on third-party websites on the open internet," its website says. All these lawsuits underpin the tumultuous situation unfolding in creative industries. Tech companies like Suno say they are there to aid the creative process and democratize access; human artists across all mediums say AI uses their work without permission to create cheap imitations known as AI slop that executives use to lay off workers. Some publishers and copyright holders have struck deals with AI companies to use their content. AI companies have also introduced some guardrails to prevent deepfakes and explicit copying -- you can't ask Suno to create a pop song in the style of Taylor Swift, for example. But these measures have done little to reassure artists. Even when record labels strike deals with AI companies, as UMG did with Suno in settling a separate lawsuit, musicians say they haven't received any compensation for the use of their songs.
[3]
Suno snatched millions of songs from YouTube, Genius, and Deezer
Suno data obtained in a hacking incident has exposed that the AI music generator was trained by scraping millions of songs and lyrics from online audio platforms, including YouTube Music, Deezer, and Genius, 404 Media reports. Given that Suno has avoided revealing what's in its training datasets and how they were acquired, this a rare glimpse into what Suno has actually been taking from online platforms. That's relevant because Suno has been the subject of several lawsuits that allege it used copyrighted materials to train its AI models. In a notable case filed by the Recording Industry Association of America (RIAA), Suno openly admitted that it does so, arguing that training on copyrighted materials and publicly available music files from the open internet is legally permitted under fair use doctrine. Whether or not a court agrees with that, an amendment filed by the RIAA last year also alleges that Suno unlawfully circumvented YouTube's copyright protections by intentionally "stream ripping" tracks from the platform. Materials shared with 404 Media by the hacker, referred to as "ellie.191," reportedly back up those allegations. The data includes Suno source code from 2023 and 2024, alongside scraping instructions to pull audio files from YouTube Music, Deezer, Genius, Pond5, Jamendo, Freesound, and the International Music Score Library Project (IMSLP). Other leaked code reportedly suggests that Suno used a third-party company called Bright Data to scrape music from YouTube, and seemingly searched for acapella versions of songs on the platform to source vocal-only audio. A file for YouTube Music notes that Suno had consumed 2,013,545 YouTube Music clips at the point it was last updated. According to another file, datasets compiled by Suno included hundreds of thousands of hours of YouTube Music, thousands of hours of Deezer, Genius, IMSLP, Jamendo, and Pond5, and hundreds of hours of Freesound and MuseScore lyrics. Suno also sought to download roughly 1 million hours of podcasts via an online tool called PodcastIndex, according to additional code. "As we have stated in public filings and disclosures, Suno's AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet," an unnamed Suno spokesperson said in a statement to 404 Media. Suno customer information was also accessed by the hacker, which included email addresses, phone numbers, and Stripe payment details. Some of the customers contacted by 404 Media confirmed that they had signed up for the service, and said that Suno never notified them about a security breach. In a statement to 404 Media, a Suno spokesperson said the company became aware of a security incident in November 2025, and that the situation was quickly contained. "At the time, we immediately conducted an investigation and verified that the incident primarily involved outdated source code that is no longer in use at Suno and that no sensitive personal information was compromised. Importantly, Suno does not have access to customers' full credit card numbers in Stripe," the Suno spokesperson said. "Based on the limited nature of the customer information believed to be involved, we determined that individual notifications were not warranted under applicable privacy laws."
[4]
A hacker accessed Suno source code that reportedly details how the company scraped millions of songs - Engadget
The company says it was breached in November and "no sensitive personal information was compromised." Suno -- an app that vomits out soulless audio in the form of AI-generated "music" -- has been hacked. According to 404 Media, the hacker accessed data related to Suno's training practices, as well as details on its customers. It's not exactly a secret at this point that copyrighted music has been used for AI training. Last month, The Atlantic dug into datasets containing millions of songs that are used for such purposes. Still, this hack sheds some more light on Suno's data vacuuming practices. Data the hacker provided to 404 Media indicated that Suno scraped music and lyrics from the likes of YouTube Music, Deezer and Genius, as well as stock music libraries. The company may have used proxy services to scrape music from YouTube, including acapella versions of songs, per the report. It appears Suno used RSS feeds to scrape hundreds of thousands of podcasts too. Suno has faced a copyright infringement lawsuit from record labels in the US. Late last year, Warner Music Group dropped out of the case as it reached a licensing deal with Suno. Back in 2024, Suno admitted in a court filing that its systems scraped "tens of millions of recordings" from the internet to use as training data, arguing that its approach constituted "fair use under copyright law." To obtain the data, the hacker said they hit a Suno employee with a worm that allowed them to access credentials for GitHub and cloud services. Along with the details about Suno's music-scraping practices, they reportedly obtained its customer list. This is said to have information regarding hundreds of thousands of Suno customers, including email addresses and phone numbers. Suno confirmed the hack in a statement to 404 Media. A spokesperson, who also noted that the company has systems that try to prevent users from replicating artist's existing music, said: As we have stated in public filings and disclosures, Suno's AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet. In November of 2025, we determined that Suno had been the subject of a limited security incident that was quickly contained. At the time, we immediately conducted an investigation and verified that the incident primarily involved outdated source code that is no longer in use at Suno and that no sensitive personal information was compromised. Importantly, Suno does not have access to customers' full credit card numbers in Stripe. Based on the limited nature of the customer information believed to be involved, we determined that individual notifications were not warranted under applicable privacy laws.
[5]
AI Music App Suno Got Hacked, Giving a Glimpse of Just How Much Music It Scraped
AI models tend to be black boxes, but it seems they do become a little less opaque if you forcibly crack them open. According to a report from 404 Media, a hacker who allegedly breached AI music generation platform Suno back in November 2025 was able to get a peek into the trove of training data that was used to build Suno's models -- and it contains lots of works from artists that the company seems to have scraped from streaming platforms. Per 404 Media, the hacker was able to get their hands on source code from Suno between 2023 and 2024, which seems to include scraping instructions and a sense of just how much material Suno's model was sucking up. The code seems to suggest that Suno scraped material from the lyrics platform Genius, YouTube Music, streaming platform Deezer, and various stock music libraries like Freesound and the International Music Score Library Project. A file related to YouTube Music suggested that at the time, the company had scraped 2,013,545 music clips from the platform. Another dataset quantified it by time rather than files: 113,879 hours of music from YouTube Music, 17,615 from Genius, 62,117 hours from royalty-free music site Pond5 -- and the list goes on. A spokesperson for Suno confirmed the hack to Gizmodo. "In November of 2025, we determined that Suno had been the subject of a limited security incident that was quickly contained," the spokesperson said. "At the time, we immediately conducted an investigation and verified that the incident primarily involved outdated source code that is no longer in use at Suno." The breach also reportedly included customers' emails or phone numbers and Stripe payment details. Suno said that "no sensitive personal information was compromised" and noted, "Importantly, Suno does not have access to customers' full credit card numbers in Stripe." The company did not inform impacted customers individually. "Based on the limited nature of the customer information believed to be involved, we determined that individual notifications were not warranted under applicable privacy laws," the spokesperson said. As for all that scraped data, Suno holds that the hack hasn't revealed anything new. "Our goal has always been to help people create original new music, not replicate someone else's. That's why we build our models around what we call 'Original Creation, By Design,'" the spokesperson said. "For example, we intentionally do not use artist names as a category of training metadata because we want our models to help people create brand new songs, not music that replicates other artists' existing work. It's also why we built Suno with detection filters that block or prevent a user from using specific artist, song, or album names as prompts, and prevent users from uploading lyrics or sound recordings that match existing works." Suno has been the subject of several lawsuits over its music generation model -- including one case that would seem to contradict its claims of safeguards against obvious knock-offs. In a case brought against Suno by major labels -- including Universal Music Group, Capitol Records, Atlantic Records, Warner Music, and Sony Music -- the labels allege, among other things, that prompting "1954 rock and roll billy haley comets" in Suno resulted in an output that allegedly directly rips off Bill Haley's "style and melody." As for the actual material scraped by Suno, the company basically seems to argue that it is all fair game. "As we have stated in public filings and disclosures, Suno's AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet," a spokesperson for the company said. The company has admitted in legal filings that its training data "includes essentially all music files of reasonable quality that are accessible on the open internet," but claims that its scraping and use of the material for training its models falls under fair use. Whether that defense holds or not is a very open question -- there have only been a few rulings on the question, and they've been split thus far. Suno obviously has opted not to wait for clarity and has built its model seemingly on the assumption that either its fair use defense will win out or it'll just pay whatever fine it gets hit with should a ruling go against it. To its credit, it's been pretty transparent about the fact that it's scraping everything. Now, thanks to the hack, we've just got a clearer sense of the scale.
[6]
Suno AI music was trained on 2M+ scraped YouTube songs
A hack of Suno AI music exposed its source code, showing it scraped millions of songs from YouTube, Deezer, and Genius to train its song generator. For years, musicians have said AI song generators fed on their work without asking. A hacker just opened the black box and showed them exactly how. Leaked source code from Suno, one of the biggest AI music tools, tells the story. It trained its model by scraping millions of songs and lyrics from across the internet. 404 Media got the data from a hacker who breached the company. The haul is enormous. One file, labelled "youtube_music," had logged more than 2 million clips. Others list tens of thousands of hours pulled from Deezer, Genius, and the stock library Pond5. In all, it adds up to decades of recorded music. Ripping the vocals The code is specific about what it wanted. To capture clean voices, it hunted for a cappella versions of songs on YouTube. To slip past YouTube's defences, Suno routed its scraping through a proxy firm called Bright Data. It also trawled 420,000 podcasts, chasing roughly a million hours of speech. None of this is entirely new. In court, Suno has already admitted training on "essentially all music files of reasonable quality" on the open web. But the leak shows the machinery behind that line. The record labels have long alleged as much. Suing Suno, the RIAA said the company copied "decades worth of the world's most popular sound recordings," and did it by "stream ripping" from YouTube, dodging the platform's copy protections. 'Fair use,' Suno says Suno's defence, like most AI firms, is fair use. It says it trains on "publicly available music files" and builds its models for "original creation." It even leaves artist names out of its training data, to discourage copycats. On the breach, the company played it down. It called the November 2025 incident "limited" and "quickly contained," said the exposed code was outdated, and insisted no sensitive data leaked. It does not hold customers' full card numbers, it added, and it decided it did not need to tell users at all. The hacker, who goes by ellie.191, tells a different story. They said they got in through the Shai-Hulud worm, grabbed an employee's credentials, and pulled customer emails, phone numbers, and Stripe records. Suno never warned those users, some of them told 404 Media. The motive? "I like to hack anything and everything." The bigger fight The timing matters. Some labels have already made peace, striking licensing deals with AI firms rather than fighting on. Sony is still in court, with a pivotal fair-use ruling due this summer. Meanwhile artists keep saying the deals do little for them. Suno's chief executive, Mikey Shulman, once said most people "don't enjoy the majority of the time they spend making music." The people whose music trained his model might disagree.
[7]
Hack Reveals Suno AI Music Generator Scraped YouTube, Deezer, and Genius
Hacked source code reveals how Suno scraped decades worth of music and podcasts from the internet to train its AI tool. The AI music generation tool Suno scraped millions of songs and lyrics from YouTube Music, Deezer, and Genius, as well as from the stock music libraries Pond5, Jamendo, Freesound, the International Music Score Library Project, and podcasts via RSS feeds, according to a hacker who breached the company and shared data about Suno's training libraries with 404 Media. The hacker was also able to access user information for hundreds of thousands of Suno's customers, as well as Stripe payment information, they said. The hacked data is a rare look at exactly how AI models and tools are built. Suno is one of the largest AI music generation tools on the internet, and has been the subject of several major lawsuits from the record industry, which accused the company of training on millions of copyrighted songs. As part of these legal proceedings, Suno previously admitted that it was trained on "essentially all music files of reasonable quality that are accessible on the open internet," which included a total of "tens of millions of recordings." Suno has been making the argument that it is allowed to train on copyrighted works as fair use in those cases, one of which has been settled. The lawsuits have made clear that Suno did train on huge amounts of copyrighted works, but the hacked data shared with 404 Media sheds more light on how Suno scraped songs from the internet and where it took them from. The Recording Industry Association of America accused Suno of ripping songs directly from YouTube; the hacked data seen by 404 Media confirms this. The hacked material includes source code that appears to be from 2023 and 2024 that includes scraping instructions and details about the scope of at least some of the scraping. For example, the comments in one file note that they will pull from "genius_hq, youtube_music, freesound, jamendo, imp, deezer, ytm_tagged," and that "non-music will be filtered out." A file called "youtube_music" notes that at the time the file was last updated, it had ingested "2,013,545 music clips." Another file contains comments about different datasets Suno had created, which included "113,879 hours of youtube_music," "17,615 hours of genius_hq," "410 hours of free sound," "19,514 hours of imslp," "3,726 hours of jamendo," "62,117 hours of pond5_music," "12,287 hours of deezer," "152,162 hours of ytm_tagged," and "103 hours of musescore_lyrics." In total, this is at least decades worth of music. Other code the hacker shared with 404 Media appeared to look specifically for vocals by searching specifically for acapella versions of songs on YouTube. The code also suggested that Suno was using proxies to scrape songs from YouTube through a company called Bright Data, which sells scraping tools, infrastructure, and data services. Additional code shows that with the help of an online tool called PodcastIndex, Suno identified 420,000 different podcasts that had at least five, 30-minute episodes and sought to download roughly 1 million hours of podcasts. It is unclear from the files seen by 404 Media exactly how Suno scraped files from each of the other platforms. Pond5 is a stock music and sound effects library owned by Shutterstock in which customers pay to access songs individually or can access a limited number of songs per month with a subscription. Pond5 claims it has 2.5 million music tracks; Suno's data suggests that it scraped a substantial amount of the entire library. Genius, meanwhile, does not host songs directly on its website but allows Apple Music subscribers to play music through the website or to play samples of songs through Apple Music. In one of its lawsuit filings, Suno said that its "training data includes essentially all music files of reasonable quality that are accessible on the open internet, abiding by paywalls, password protections, and the like, combined with similarly available text descriptions," and that it was "constructed by showing the program tens of millions of instances of different kinds of recordings gathered from publicly available sources." "For Suno specifically, this process involved copying decades worth of the world's most popular sound recordings and then ingesting those copies into Suno's AI models so they can generate outputs that imitate the qualities of genuine human sound recordings," the RIAA wrote in its lawsuit against Suno. "And to make matters worse, Suno obtained those copies in the first instance by unlawfully 'stream ripping' them from the popular streaming platform YouTube, and circumventing the technological measures designed specifically to prevent such unauthorized copying." In a statement, a Suno spokesperson said "As we have stated in public filings and disclosures, Suno's AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet. In November of 2025, we determined that Suno had been the subject of a limited security incident that was quickly contained. At the time, we immediately conducted an investigation and verified that the incident primarily involved outdated source code that is no longer in use at Suno and that no sensitive personal information was compromised. Importantly, Suno does not have access to customers' full credit card numbers in Stripe." "Based on the limited nature of the customer information believed to be involved, we determined that individual notifications were not warranted under applicable privacy laws," the Suno spokesperson added. Suno also sent a training data disclosure required under California law. The hacker, ellie.191, told 404 Media they breached the company by hacking an individual employee using the Shai-Hulud worm, a supply chain attack that allowed hackers to harvest GitHub and cloud service credentials. They said they also accessed Suno's customer list, which included customers' emails and/or phone numbers and Stripe payment details, depending on what they used to login. The hacker provided a sample of some of the customers, some of whom confirmed to 404 Media they had used their phone number to sign up for Suno and said they were never notified of a breach. The hacker told 404 Media they had no specific motivation for hacking Suno and said "I like to hack anything and everything." 404 Media has previously reported on leaked materials that showed Nvidia and Runway ML scraped YouTube en masse. For the most part, AI companies no longer deny training on copyrighted materials and instead make the argument that they are allowed to scrape artists' work under fair use carveouts in copyright law. Last month, The Atlantic reported on several music databases that are widely used in AI training, consisting of millions of tracks: "Three of the datasets I found are distributed as a list of links to songs on YouTube or Spotify. AI developers download the actual audio using tools that automate the job, some of which allow developers to bypass logins, advertisements, and mechanisms that might earn money or subscribers for creators. Such tools violate the terms of service of these platforms. (The fourth dataset, the Free Music Archive collection, is distributed with MP3s.)," the author of The Atlantic piece wrote. It is unclear whether Suno used any of these datasets. The Suno spokesperson added that the company has worked to try to prevent users from generating songs that sound like existing songs. One of the contentions of several of the lawsuits was that Suno could be used to output songs that are nearly indistinguishable from existing works. "Our goal has always been to help people create original new music, not replicate someone else's. That's why we build our models around what we call 'Original Creation, By Design.' For example, we intentionally do not use artist names as a category of training metadata because we want our models to help people create brand new songs, not music that replicates other artists' existing work," the spokesperson said. "We believe artists deserve both new opportunities and strong protections. That's why we've invested in safeguards designed to help prevent impersonation, and other forms of misuse, while continuing to develop technologies for AI identification." Mikey Shulman, the CEO and founder of Suno, said on a podcast last year that he believes the "majority of people don't enjoy the majority of the time they spend making music."
Share
Copy Link
A hacker accessed Suno's source code, revealing the AI music generator scraped over 2 million clips from YouTube Music, plus thousands of hours from Deezer and Genius. The November 2025 breach also exposed customer data, but Suno claims it involved outdated code and no sensitive information was compromised. The revelations support allegations in ongoing copyright infringement lawsuits from major record labels.
The AI music generator Suno suffered a security breach in November 2025 that has pulled back the curtain on its controversial AI training practices. According to 404 Media
1
, a hacker using the moniker "ellie.191" deployed a supply chain attack to access employee credentials, gaining entry to source code that details how Suno scraped massive quantities of music from platforms including YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds2
.The leaked files paint a striking picture of the scale of Suno's data collection. One file labeled "youtube_music" contained over 2 million clips at the time it was last opened
3
. Additional datasets revealed more than 17,000 hours of music from Genius HQ, over 12,000 hours from streaming service Deezer, and more than 62,000 hours from Pond5, a Shutterstock-owned stock music site2
. Other leaked code suggests Suno used a third-party company called Bright Data to scrape music from YouTube, and actively searched for acapella versions of songs to source vocal-only audio3
.
Source: TechCrunch
The revelations from this source code hack appear to validate allegations in ongoing copyright infringement lawsuits brought against Suno by major record labels including Universal Music Group, Sony Music Entertainment, and Warner Music Group
2
. The Recording Industry Association of America (RIAA) filed a notable case alleging that Suno unlawfully circumvented YouTube's copyright protections through intentional "stream ripping" of tracks from the platform3
. Under the Digital Millennium Copyright Act (DMCA), deliberately circumventing YouTube's protections against data scraping is illegal, and it also violates YouTube's terms of service1
.Suno has previously admitted that it trains its AI on "publicly available music files" from the open internet, defending its approach under the fair use doctrine—a subjective carve-out of copyright law
1
. The company maintains that its use of original material as training data is legal, a defense similar to what Anthropic and Meta successfully used in lawsuits brought by authors last summer2
. However, whether courts will accept this fair use claim for AI music generation remains an open question, with rulings on the matter split thus far5
.
Source: Gizmodo
Beyond exposing AI training practices, the hacker also accessed customer data including email addresses, phone numbers, and partial credit card numbers stored in Stripe
1
. Some customers contacted by 404 Media confirmed they had signed up for the service and said Suno never notified them about the security breach3
.In response, a Suno spokesperson stated the company became aware of the incident in November 2025 and that it was "quickly contained." The company characterized it as a "limited security incident" involving "outdated source code that is no longer in use at Suno" and claimed "no sensitive personal information was compromised"
4
. Suno emphasized it does not have access to customers' full credit card numbers in Stripe and determined that individual notifications were not warranted under applicable privacy laws3
.Related Stories
This breach highlights the ethical and legal concerns surrounding AI music generation and its impact on creative industries. While tech companies like Suno position themselves as democratizing music creation, human artists across all mediums argue that AI uses their work without permission to create cheap imitations
2
. Even when record labels strike deals with AI companies—as Universal Music Group did with Suno in settling a separate lawsuit—musicians report they haven't received compensation for the use of their songs2
.
Source: CNET
Suno's competitor Udio has also been accused of scraping YouTube data, while Google, YouTube's parent company, faces similar allegations of copyright infringement from major book publishers
1
. The company maintains it has built safeguards to prevent deepfakes and explicit copying—users cannot prompt Suno to create songs in the style of specific artists like Taylor Swift2
. However, these measures have done little to reassure artists concerned about the unauthorized use of their creative work to train AI systems that may ultimately compete with them in the marketplace.Summarized by
Navi
26 Feb 2026•Business and Economy

02 Aug 2024

07 Apr 2026•Business and Economy

1
Technology

2
Policy and Regulation

3
Business and Economy
