Hacked Suno Source Code Exposes Mass Scraping of YouTube, Deezer, and Genius for AI Training
A breach of the AI music generator's internal code offers the first concrete look at how Suno built its training dataset—and it includes millions of copyrighted songs.
What matters
- A hacker breached Suno in November 2025 via a supply chain attack and shared source code with 404 Media revealing the company's training data sources.
- Suno scraped millions of songs and lyrics from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds.
- The breach also exposed customer data including emails, phone numbers, and partial credit card numbers for hundreds of thousands of users.
- Suno did not notify customers about the breach and has argued its training on copyrighted material is protected under fair use.
- The RIAA and major record labels are suing Suno, arguing that circumventing YouTube's anti-scraping protections violates the DMCA.
What happened
A hacker who breached AI music generator Suno in November 2025 shared internal source code and training data with the publication 404 Media, revealing that the company scraped millions of songs and lyrics from across the internet to build its models. According to the report, the hacker used a supply chain attack to obtain an employee's credentials, then accessed code showing Suno pulled audio from YouTube Music, Deezer, Genius, stock music libraries (Pond5, Jamendo, Freesound), the International Music Score Library Project, and podcasts via RSS feeds.
The breach also exposed personal data for hundreds of thousands of Suno customers, including emails, phone numbers, and partial credit card numbers stored in Stripe. Suno did not notify customers about the November 2025 incident, characterizing it as a "limited security incident."
Suno has long avoided disclosing the contents of its training datasets. In ongoing litigation with the RIAA and major record labels, the company previously admitted it trained on "essentially all music files of reasonable quality that are accessible on the open internet," totaling "tens of millions of recordings." Suno has argued this is permitted under the fair use doctrine. One of the lawsuits has reportedly been settled.
Why it matters
This is one of the first times the public has seen concrete evidence of exactly how a major generative AI company assembled its training data. While Suno's legal admissions confirmed broad scraping, the hacked code reportedly shows the specific platforms and methods used—including circumventing YouTube's anti-scraping protections, which the record labels argue violates the Digital Millennium Copyright Act (DMCA) and YouTube's terms of service.
The revelation matters on two fronts. First, it could strengthen the legal case against Suno by providing specific evidence of scraping from protected platforms. Second, the undisclosed data breach raises serious questions about Suno's security practices and transparency with customers whose payment information was exposed.
The story also highlights a broader industry pattern. Competitor Udio has faced similar accusations of scraping YouTube, and Google itself faces copyright lawsuits from book publishers over training data practices.
What to watch
- Whether the hacked source code is admitted as evidence in the ongoing RIAA litigation against Suno, and how it affects the fair use defense.
- Regulatory or legal consequences for Suno's failure to disclose the November 2025 data breach to affected customers.
- Whether other AI music or content generation companies face similar scrutiny over their training data provenance.
- The outcome of remaining lawsuits against Suno, given that one case has already been settled.
What to do next
Developers
Audit your own AI training data pipelines for provenance documentation and licensing compliance, especially if scraping third-party platforms.
The Suno hack demonstrates that undocumented or non-compliant scraping practices can be exposed and used as legal evidence; maintaining clear provenance records is now a defensive necessity.
Founders
Ensure your company has a breach notification policy and incident response plan in place, and review whether your training data practices can withstand public scrutiny.
Suno's failure to disclose a November 2025 breach and its opaque training data practices have compounded legal and reputational risk.
PMs
Map every external data source feeding your AI products and verify that each has appropriate licensing or terms-of-service compliance.
The hacked code revealed specific platforms Suno scraped from; PMs need to know whether their own data sourcing could similarly be exposed.
Investors
Assess portfolio companies in generative AI for training data provenance risk and breach disclosure compliance as part of due diligence.
The Suno case shows that training data practices and security incidents can materially affect litigation exposure and company valuation.
Operators
Review vendor and platform terms of service for any data scraping or automated access your organization performs, and document compliance.
The record labels' argument hinges on DMCA violations and terms-of-service breaches; operators need to ensure their data acquisition methods are legally defensible.
Testing notes
Caveats
- This is a news story about a security breach and legal dispute, not a product launch or developer tool release. There is nothing to test directly. The hacked source code is not publicly available; details come from 404 Media's reporting and secondary coverage.