For years, musicians have said AI song generators fed on their work without asking. A hacker just opened the black box and showed them exactly how. Leaked source code from Suno, one of the biggest AI music tools, tells the story. It trained its model by scraping millions of songs and lyrics from across the internet. 404 Media got the data from a hacker who breached the company.
The haul is enormous. One file, labelled “youtube_music,” had logged more than 2 million clips. Others list tens of thousands of hours pulled from Deezer, Genius, and the stock library Pond5. In all, it adds up to decades of recorded music.
Ripping the vocals #
The code is specific about what it wanted. To capture clean voices, it hunted for a cappella versions of songs on YouTube. To slip past YouTube’s defences, Suno routed its scraping through a proxy firm called Bright Data. It also trawled 420,000 podcasts, chasing roughly a million hours of speech.
None of this is entirely new. In court, Suno has already admitted training on “essentially all music files of reasonable quality” on the open web. But the leak shows the machinery behind that line.
The record labels have long alleged as much. Suing Suno, the RIAA said the company copied “decades worth of the world’s most popular sound recordings,” and did it by “stream ripping” from YouTube, dodging the platform’s copy protections.
‘Fair use,’ Suno says #
Suno’s defence, like most AI firms, is fair use. It says it trains on “publicly available music files” and builds its models for “original creation.” It even leaves artist names out of its training data, to discourage copycats.
On the breach, the company played it down. It called the November 2025 incident “limited” and “quickly contained,” said the exposed code was outdated, and insisted no sensitive data leaked. It does not hold customers’ full card numbers, it added, and it decided it did not need to tell users at all.
The hacker, who goes by ellie.191, tells a different story. They said they got in through the Shai-Hulud worm, grabbed an employee’s credentials, and pulled customer emails, phone numbers, and Stripe records. Suno never warned those users, some of them told 404 Media. The motive? “I like to hack anything and everything.”
The bigger fight #
The timing matters. Some labels have already made peace, striking licensing deals with AI firms rather than fighting on. Sony is still in court, with a pivotal fair-use ruling due this summer.
Meanwhile artists keep saying the deals do little for them. Suno’s chief executive, Mikey Shulman, once said most people “don’t enjoy the majority of the time they spend making music.” The people whose music trained his model might disagree.
Get the TNW newsletter #
Get the most important tech news in your inbox each week.