Hackers Breach Suno AI Music Generator, Leaking Training Data and User Information

Suno’s internal dataset notes reveal precise scrape headings and hours: 113,879 hours of youtube_music, 17,615 hours of genius_hq, 410 hours of freqsounds, 19,514 hours of IMSLP, 3,726 hours of jamendo, and 62,117 hours of pond5_mu, alongside 2,013,545 music clips from YouTube Music, among other sources.
The attacker reportedly used a worm-based supply-chain intrusion to steal an employee’s credentials, enabling access to Suno’s internal source code and related GitHub/cloud services.
The breach is said to have involved data-scraping methods from multiple sources, including YouTube Music, Deezer, Genius, stock libraries, and RSS podcast feeds, with the attacker noting proxy tactics to harvest data such as acapella YouTube versions and hundreds of thousands of podcasts via RSS feeds.
Warner Music Group reportedly dropped out of Suno’s ongoing copyright lawsuit after a licensing deal with Suno, illustrating how licensing settlements can affect high-profile IP disputes in AI data use cases.
Suno has claimed the breach primarily exposed outdated source code no longer used at the company, a detail Suno characterized as not affecting current operations or user data.
A hacker broke into AI music startup Suno in November 2025, stealing source code and customer data — and exposing exactly how the $5.4 billion company built its AI music engine, according to Variety. The breach revealed internal documents showing Suno scraped over 113,000 hours of audio from YouTube Music, nearly 20,000 hours from IMSLP, and more than 2 million individual music clips, raising serious copyright questions.
Suno called the breach "limited" and said it was quickly contained, according to Crypto Briefing. The company claimed the stolen code was outdated and no longer in use. But the leaked data painted a far more detailed picture of Suno's training methods than the company had ever publicly disclosed.
The attacker, identified as Ellie.191, used a worm-based supply-chain intrusion to steal an employee's login credentials, according to Crypto Briefing. That access opened the door to Suno's internal source code, GitHub repositories, and cloud services. The hacker also got into customer records, including emails, phone numbers, and partial Stripe payment details.
Suno did not notify users about the breach at the time, according to Variety. The company later said the exposed code was no longer active. Security experts note that supply-chain attacks — where hackers target third-party tools to reach a bigger target — are among the hardest breaches to detect early.
The leaked internal notes revealed precise figures. Suno scraped 113,879 hours from YouTube Music, 17,615 hours from Genius, 62,117 hours from stock library Pond5, and 19,514 hours from IMSLP, a classical music archive, according to Gadget Review. The company also pulled audio from Deezer, the Jamendo library, and hundreds of thousands of podcasts via RSS feeds.
The documents show Suno used proxy servers to scrape acapella versions of songs from YouTube and harvest podcast audio at scale, according to TechBuzz. Suno has publicly said its models train on "publicly available" music and metadata, arguing the practice falls under fair use. Rights holders strongly dispute that claim.
Major record labels have sued Suno over its training data practices. The leaked documents now give those lawsuits new ammunition. Warner Music Group notably dropped out of the ongoing case after reaching a separate licensing deal with Suno, according to Variety. The exit shows how licensing settlements can quietly reshape high-profile AI copyright fights.
Suno's rival Udio faces nearly identical accusations over scraping copyrighted music, according to TechBuzz. Platforms like YouTube may also face related legal exposure. Regulators and industry observers are watching closely to see how courts rule on whether scraping publicly available content counts as fair use or copyright infringement.
The Suno breach is one of the first cases where a hack has pulled back the curtain on exactly what data an AI company used — and how it got it. The specificity of the leaked logs, down to exact hours scraped per source, is unusual. Most AI companies treat their training data as a closely guarded secret.
The incident raises two separate but linked concerns: data security and data legality. Suno must now answer for both how its systems were compromised and whether the underlying data practices were lawful, according to Yahoo News. The outcome could set a precedent for how AI music, image, and text generators source their training material going forward.
Publishers
19
Articles
17
Reach
36