Thursday, July 16, 2026

News

Hackers Steal Suno Source Code, Exposing Scale of YouTube and Deezer Scraping

PolicyPatryk Raba
Fot. Tima Miroshnichenko, Pexels (Pexels License)

An unknown hacker breached Suno and published source code fragments from 2023-2024 that describe mass downloading of millions of tracks from YouTube Music, Deezer and Genius to train AI models. Data from hundreds of thousands of customers also leaked, including email addresses and partial Stripe payment details.

Contents
  1. How the Breach Happened
  2. What the Leaked Code Shows
  3. A New Angle in the Copyright Fight
  4. Customer Data Also Leaked
  5. What It Means for Musicians

An unknown hacker gave the outlet 404 Media fragments of the source code from Suno, the popular AI music generation app. The documents, dating from 2023-2024, describe in detail where the company sourced material to train its models, and reveal a scale that was not previously publicly known.

How the Breach Happened

According to reports, the hacker gained access to Suno's systems through a supply chain attack, taking over one employee's credentials. This access opened the door to the company's source code repositories and to customer data stored in Stripe, the payment processing system.

Suno confirmed the incident took place in November 2025 but did not inform its users at the time. The company only disclosed the matter after the hacker contacted journalists and handed over the materials.

What the Leaked Code Shows

The most significant part of the leak is not the customer data itself but the comments and variables in the source code that describe the origin of the training data. According to 404 Media and Engadget, the files point to content being downloaded from YouTube Music, Deezer, Genius, as well as from the Pond5, Jamendo, Freesound, and International Music Score Library Project libraries, and from podcasts via RSS feeds.

The scale suggested by these records is enormous. One file related to YouTube Music indicated 2,013,545 downloaded music clips as of its last update. Other comments in the code cite 113,879 hours of recordings from YouTube Music, 17,615 hours from Genius, 62,117 hours from Pond5, 19,514 hours from IMSLP, 12,287 hours from Deezer, and 3,726 hours from Jamendo.

Suno has long defended itself against lawsuits from major music labels, arguing that training models on publicly available material falls within the bounds of the US fair use doctrine. The leak, however, provides concrete technical evidence of exactly how the company obtained its data, which could strengthen the plaintiffs' position in ongoing litigation.

No sensitive personal information was compromised. - Suno spokesperson

The RIAA, the organization representing the American recording industry, has argued for months that pulling content from YouTube while bypassing the platform's safeguards violates both DMCA regulations and the platform's terms of service. The leaked code fragments, which describe the mechanisms used to download content from specific services, could become evidence in these disputes.

Customer Data Also Leaked

Besides the source code, the hacker gained access to Suno customers' personal data, including email addresses, phone numbers, and partial payment card data stored in the Stripe system. The company described the incident as limited and quickly contained, stating that no sensitive personal data was compromised.

Suno has not disclosed the exact number of affected accounts, nor explained why it waited eight months to disclose the November 2025 incident, which came to light only after the hacker and journalists exposed it.

What It Means for Musicians

The case touches on a broader problem that music creators around the world, including in Poland, have faced for months, as musicians and publishers increasingly discover their own recordings in the training datasets of generative models. The specific hour and source counts revealed in Suno's code offer, for the first time, a tangible picture of the scale of this phenomenon, rather than companies' vague claims about "publicly available data."

For the music industry, the leak also provides an argument in the debate over labeling systems for AI-generated tracks and over streaming platforms' responsibility for how their resources are used by companies training generative models.

Share: