
Suno AI training data breach reveals millions of scraped songs from YouTube, Deezer, and Genius
Published by AINave Editorial • Reviewed by Ramit
A hack of Suno AI's source code has exposed the company's training pipeline, revealing that it scraped millions of songs and lyrics from YouTube, Deezer, and Genius to build its music generation model. The leaked data shows the scale and methods of Suno's data collection, including the use of a proxy service to bypass platform protections. For AI builders, the breach highlights the growing legal and operational risks around training data provenance and copyright.
What happened
Leaked source code from Suno, one of the largest AI music tools, details how the company built its training dataset. A single file labelled "youtube_music" logged over 2 million clips from YouTube. Other files list tens of thousands of hours pulled from Deezer, Genius, and the stock library Pond5. The code also shows Suno trawled 420,000 podcasts, totaling roughly a million hours of speech.
To capture clean vocal tracks, the code specifically targeted a cappella versions of songs on YouTube. To evade YouTube's anti-scraping measures, Suno routed its scraping through a proxy firm called Bright Data.
The breach occurred in November 2025 and was attributed to an attacker known as ellie.191, who used a supply-chain worm called Shai-Hulud. Suno described the incident as "limited" and "quickly contained," stating the exposed code was outdated and no sensitive data was compromised. However, ellie.191 claims to have obtained customer emails, phone numbers, and Stripe records. Suno did not notify affected users, according to reports.
Why AI builders should care
This case is a concrete example of how AI music companies source training data, and it carries implications beyond music. The RIAA has sued Suno, alleging it copied "decades worth of the world's most popular sound recordings" through stream ripping from YouTube. Suno's defense, like many AI firms, rests on fair use, arguing it trains on "publicly available music files" for "original creation" and excludes artist names from training data to discourage copycats.
A pivotal fair-use ruling in a related case involving Sony is expected soon. Depending on the outcome, the legal landscape for training data could shift dramatically. For builders of generative AI products, this case underscores the importance of data provenance documentation, consent, and licensing clarity. Regulators and courts are increasingly scrutinizing how training data is collected, and the Suno breach provides a roadmap of what not to do.
Practical implications
The leak reveals the operational machinery behind Suno's training pipeline. Key takeaways for AI builders include:
- Proxy-based scraping: Suno used Bright Data to bypass YouTube's protections. This approach carries legal risk and violates the terms of service of many platforms.
- Scale of data: Over 2 million YouTube clips, tens of thousands of hours from Deezer and Genius, and 420,000 podcasts. The sheer volume makes it difficult to argue that training data was "incidental" or "transformative" in a legal sense.
- Targeted collection: The code specifically hunted for a cappella versions, showing deliberate curation to improve vocal quality in generated music.
For developers building generative models, the case highlights the need for:
- Clear documentation of data sources and consent.
- Licensing agreements or use of public domain/royalty-free data.
- Transparency about data collection methods, especially when using proxies.
Caveats
Details in this article are based on leaked source code and secondary reports from 404 Media, which obtained the data from the hacker. Suno has disputed the severity of the breach, and investigations are ongoing. The exact scope of customer data exposed remains contested between the company and ellie.191. The fair-use rulings in related cases are still pending, and outcomes may vary by jurisdiction. Artist rights and licensing deals are evolving rapidly, and the long-term impact on AI music development is uncertain.
FAQs
Sources
- A hack just showed how Suno’s AI music was really built: millions of scraped songs
- Suno Hack Trending #54 - Break The Web
- Hack reveals Suno's data scraping methods for AI music generation
- Source Code Hack Reveals Suno's AI Was Trained on Millions of...
- Google News - Report: Suno AI music generator hacked - Overview
- Suno hack shows how third-party data trained AI music service's models
- AI Music Copyright Lawsuit: Suno Discovery Shows Millions of Songs, July Ruling Nears
- Suno Hack Shows How Third-Party Data Trained AI Music...
- Google News - AI music generator Suno hacked, source code...
- Suno Hack Shows How Third-Party Data Trained AI Music Service's Models
- AI Music App Suno Got Hacked, Giving a Glimpse of Just How Much Music It Scraped
- A hacker accessed Suno source code that reportedly details how the company scraped millions of songs
- Leaked docs reveal how Suno trained its AI music engine






















