A significant data leak resulting from a hacking incident has shed light on the opaque training methods of Suno, the popular AI music generator. According to reports from 404 Media, the company allegedly scraped millions of songs and lyrics from platforms including YouTube Music, Deezer, and Genius, despite their protective barriers.
The Scale of Data Acquisition
Files obtained by a hacker known as "ellie.191" include Suno source code from 2023 and 2024. The data reveals specific instructions for pulling audio files from a variety of platforms, including Pond5, Jamendo, and the International Music Score Library Project (IMSLP). From YouTube Music alone, Suno had reportedly consumed over 2 million clips by the time the files were last updated.
Furthermore, the leaked code suggests the use of a third-party service, Bright Data, to mass-scrape content from YouTube. It appears the company specifically sought out a cappella versions of songs to source vocal-only audio for its model training.
Legal Fallout and the Fair Use Defense
This revelation comes at a pivotal time for Suno, which is already embroiled in lawsuits filed by the Recording Industry Association of America (RIAA). The RIAA alleges that the company unlawfully circumvents YouTube’s protections through "stream ripping." Suno has openly admitted to training on publicly available files but argues that this practice is legally protected under the fair use doctrine.
Security Failures and User Impact
Beyond copyright concerns, the breach exposed Suno customer information, including email addresses, phone numbers, and Stripe payment details. Although Suno confirmed it became aware of the incident in November 2025, it chose not to notify affected users. The company maintained that the compromised source code was outdated and that no sensitive personal information was at risk.