Suno hack reveals AI training datasets scraped from YouTube and others
Leaked source code from a Suno security breach reveals the platform used unauthorized scraping to ingest millions of hours of music, contradicting previous company claims.
A hack of Suno, an AI music generation platform, has exposed extensive evidence that the company trained its models by scraping millions of songs, lyrics, and audio clips from YouTube Music, Deezer, Genius, and other online sources, according to multiple reports. The breach, which occurred in November 2025, was revealed through leaked source code and operational details shared with 404 Media by a hacker identified as ellie.191. The data provides a rare and detailed look into the inner workings of AI training datasets, confirming long-standing allegations by record labels and artists that Suno and similar platforms rely on vast, unlicensed collections of copyrighted material.
The hacked materials include source code from 2023 and 2024, along with scraping instructions and metadata that outline the scope of Suno’s data acquisition. One file, labeled “youtube_music,” recorded 2,013,545 music clips ingested from YouTube Music alone. Additional datasets detailed “113,879 hours of YouTube Music,” “17,615 hours of Genius,” “62,117 hours of Pond5_music,” and “12,287 hours of Deezer,” among other sources. The data also revealed that Suno targeted specific content, such as a cappella versions of songs to extract vocal-only audio, and used third-party services like Bright Data to circumvent YouTube’s anti-scraping protections. The company reportedly scraped podcasts via RSS feeds, amassing roughly one million hours of spoken content.
Suno has previously acknowledged training its AI on “publicly available music files” from the open internet, arguing that its use of copyrighted material falls under the fair use doctrine. However, the leaked code directly contradicts this claim by detailing explicit scraping methods and source platforms. The Recording Industry Association of America (RIAA) and other music industry groups have long accused Suno of violating copyright laws by “stream ripping” tracks from YouTube without authorization, a practice that also breaches YouTube’s terms of service. The hacked data appears to validate these allegations, showing that Suno’s training datasets included “decades worth of music” from protected platforms.
The breach also exposed customer information, including emails, phone numbers, and partial credit card details stored by Suno’s payment processor, Stripe. Suno has downplayed the incident, stating that the compromised data involved “outdated source code that is no longer in use” and that “no sensitive personal information was compromised.” The company declined to notify affected users, citing privacy laws and the “limited nature” of the breach. However, some customers confirmed they were unaware of the incident, raising questions about Suno’s transparency and data security practices.
The leak comes amid ongoing legal battles between Suno and major record labels. The RIAA and other entities have filed lawsuits alleging that Suno’s AI models replicate copyrighted works without permission, with one case claiming the platform generated outputs that directly mimic the “style and melody” of existing songs. Suno’s defense hinges on fair use, but courts have yet to establish clear precedents for AI training data in copyright law. The company has also faced scrutiny for its lack of compensation to artists whose work is used in training datasets, even as some labels have struck licensing deals with AI firms.
The hack underscores the broader controversy surrounding AI’s reliance on scraped data. Competitors like Udio have faced similar accusations, while tech giants such as Google face lawsuits over alleged copyright violations in other domains. For artists, the revelations highlight the tension between innovation and intellectual property rights, with many arguing that AI tools like Suno prioritize commercial interests over creative equity. As Suno prepares for a potential initial public offering, the leaked data adds pressure to address legal, ethical, and technical challenges in AI development.