Suno’s Secret Scrapes: Hack Lays Bare Decades of Music Data Used to Train AI Hitmaker

A fresh hack exposed Suno’s training data sources in detail. The AI music firm scraped millions of tracks and lyrics from YouTube Music, Deezer, Genius and stock libraries, totaling decades of audio. Lawsuits rage on while the company raises billions. The revelations sharpen the battle over fair use in generative music.
Suno’s Secret Scrapes: Hack Lays Bare Decades of Music Data Used to Train AI Hitmaker
Written by Eric Hastings

A hacker slipped into Suno last November. What the intruder found and later handed over to reporters has cracked open the black box around one of the music world’s most talked-about startups. Source code from 2023 and 2024 showed the company systematically pulled audio from YouTube Music, Deezer, Genius and a string of stock libraries and podcast feeds. The numbers add up fast. Over 113,000 hours from YouTube Music alone. Another 62,000 from Pond5. Tens of thousands more from Deezer, Genius and the International Music Score Library Project. In total, decades of sound.

The details come from 404 Media. The hacker, operating under the name ellie.191, used a supply-chain attack. It netted an employee’s credentials and opened the door to internal files. One note in the code listed sources to harvest: “genius_hq, youtube_music, freesound, jamendo, imp, deezer, ytm_tagged.” Non-music tracks would be filtered out. Another file recorded that Suno had already ingested 2,013,545 clips from YouTube Music at the time it was last updated.

But the hack went further. Leaked materials indicated Suno turned to a third-party service called Bright Data to scrape YouTube. The code suggested the company hunted specifically for a cappella versions of tracks. The goal was clear. Gather clean vocal data to train its models on singing. Podcast RSS feeds and services like PodcastIndex were targeted too, with plans to pull roughly one million hours of speech. And customer records for hundreds of thousands of users surfaced as well. Emails, phone numbers and partial Stripe payment details sat exposed.

Suno moved quickly once it learned of the breach. “We immediately conducted an investigation and verified that the incident primarily involved outdated source code that is no longer in use at Suno and that no sensitive personal information was compromised,” a company spokesperson told reporters. Full credit card numbers were never accessible through Stripe, the firm added. Individual notifications were not required under privacy rules. The breach was contained. Yet the training data revelations land at a delicate moment.

The recording industry has sued Suno and rival Udio, accusing both of copyright infringement on a massive scale. The RIAA claims the companies engaged in “stream ripping” from YouTube, a practice that violates the platform’s terms and the Digital Millennium Copyright Act. Court filings show Suno previously admitted it trained on “essentially all music files of reasonable quality accessible on the open internet.” That admission, combined with the fresh technical evidence, gives plaintiffs fresh ammunition. One suit has settled. Warner Music Group struck a licensing deal with Suno late last year and dropped its claims. Others continue.

Yet Suno has raised money at a blistering pace. A $400 million Series D round in June valued the company at $5.4 billion, according to TechCrunch. Investors appear undeterred by the litigation. The startup’s tools let anyone generate full songs from text prompts. Its latest models produce vocals that sound increasingly human. Tracks created on the platform have already charted. Some artists have signed real record deals off AI-generated material. The tension is obvious. The same technology that excites creators risks displacing them.

The leaked code paints a picture of aggressive data collection. Files reference 17,615 hours from Genius HQ. Over 12,000 from Deezer. More than 19,000 from the IMSLP. Pond5 contributed 62,117 hours of music. Even smaller sources like Freesound added hundreds of hours. The company layered these datasets into training runs that filtered, tagged and processed the material at scale. Comments in the code make the intent plain. Pull the audio. Strip what isn’t music. Feed the model.

Industry watchers have long suspected such practices. The new reporting from The Verge and The Next Web confirms many of those suspicions with technical precision. Suno has maintained it trains only on publicly available files and avoids using artist names in metadata to prevent direct copying. Its policy promotes “original creation, by design.” But the distinction between inspiration and infringement remains hotly contested in court. Fair use arguments that worked for earlier AI image generators face steeper tests when applied to commercial music.

Artists on both sides of the debate have weighed in. Some see Suno as a tool that democratizes production. Others view it as theft on an industrial scale. The hack adds concrete evidence to the latter camp’s arguments. It shows exactly which platforms were targeted and in what volumes. It reveals the technical steps taken to bypass protections and gather clean vocal stems. And it underscores how much data was required to reach today’s performance levels. Models need vast libraries to learn melody, harmony, structure and timbre.

So what happens next? The ongoing lawsuits could force clearer rules around training data. Settlements might include licensing agreements that retroactively compensate rights holders. Or courts could draw new lines on fair use for generative AI. In the meantime Suno keeps shipping updates. Its v5.5 model added features for custom voices and taste profiles. Users generate more songs than ever. Some of that output ends up on streaming services, social platforms and even Billboard charts.

The music business has absorbed technological shocks before. Radio, cassettes, Napster, streaming. Each time the industry adapted, consolidated and found new revenue streams. This shift feels different. The barrier to creation has collapsed. Anyone with a prompt can produce radio-ready tracks. The data that makes it possible was scraped from the very catalogs now under legal protection. The hack has made that contradiction impossible to ignore.

Labels, artists and technologists will keep fighting over the rules. Suno will keep iterating. And listeners will keep encountering AI songs that sound a little too real. The question is no longer whether these systems were trained on existing music. The files make that plain. The harder question is what society decides to do about it.

Subscribe for Updates

AITrends Newsletter

The AITrends Email Newsletter keeps you informed on the latest developments in artificial intelligence. Perfect for business leaders, tech professionals, and AI enthusiasts looking to stay ahead of the curve.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us