# Hack Exposes Suno AI Scraped Over 2 Million Songs From YouTube, Deezer, and Genius

> Source: <https://mlq.ai/news/hack-exposes-suno-ai-scraped-over-2-million-songs-from-youtube-deezer-and-genius/>
> Published: 2026-07-16 13:55:10.053011+00:00

# Hack Exposes Suno AI Scraped Over 2 Million Songs From YouTube, Deezer, and Genius

- Hacked source code reveals Suno ingested 2,013,545 YouTube Music clips and over 380,000 total hours of audio from nine platforms including Deezer, Genius, and Pond5
[[1]](https://www.404media.co/hack-reveals-suno-ai-music-generator-scraped-youtube-deezer-and-genius/) - A hacker compromised a Suno employee in November 2025 using a supply-chain worm, gaining access to GitHub and cloud credentials along with customer data for hundreds of thousands of users
[[2]](https://www.engadget.com/2215772/a-hacker-accessed-suno-source-code-that-reportedly-details-how-the-company-scraped-millions-of-songs/) - Suno called the breach 'quickly contained' and said the exposed code is 'outdated,' while maintaining its scraping constitutes fair use
[[3]](https://techcrunch.com/2026/07/15/hack-suggests-ai-music-generator-suno-scraped-youtube-for-training-data/) - Universal Music Group and Sony Music are still actively litigating against Suno in federal court, with a hearing scheduled for July 2026
[[4]](https://www.riaa.com/record-companies-bring-landmark-cases-for-responsible-ai-againstsuno-and-udio-in-boston-and-new-york-federal-courts-respectively/) - Warner Music settled its claims against Suno in November 2025 in exchange for a licensing deal
[[4]](https://www.riaa.com/record-companies-bring-landmark-cases-for-responsible-ai-againstsuno-and-udio-in-boston-and-new-york-federal-courts-respectively/)

A security breach at AI music generator Suno has exposed internal source code detailing how the company scraped more than 2 million songs and over 380,000 hours of audio from YouTube Music, Deezer, Genius, and at least six other platforms to train its generative AI models, according to a report by 404 Media published July 15 [1].

The leaked files provide the first concrete, technical evidence of Suno's training data sources — information the startup has long refused to disclose publicly. The revelation lands amid active copyright litigation brought by Universal Music Group and Sony Music, which have accused Suno of mass infringement. A federal hearing in the case is scheduled for July 2026 [4].

The hacker, operating under the handle "ellie.191," compromised a Suno employee in November 2025 using a supply-chain worm dubbed "Shai-Hulud," gaining access to GitHub repositories and cloud service credentials. Beyond source code, the breach exposed customer information — including email addresses and phone numbers — for hundreds of thousands of Suno users [2].

Suno confirmed the incident but characterized it as limited, stating that "no sensitive personal information was compromised" and that the accessed source code is "outdated" and "no longer in use" [3].

## What the Data Shows

The hacked source code contains detailed scraping instructions and dataset documentation spanning 2023 to 2024. One file labeled 'youtube_music' recorded the ingestion of 2,013,545 individual music clips. Separate dataset documentation logged 113,879 hours of YouTube Music audio, 152,162 hours of content tagged 'ytm_tagged,' 17,615 hours from Genius, 62,117 hours from stock music library Pond5, 19,514 hours from the International Music Score Library Project, 12,287 hours from Deezer, 3,726 hours from Jamendo, 410 hours from Freesound, and 103 hours from MuseScore Lyrics [1].

The code also referenced the scraping of hundreds of thousands of podcasts via RSS feeds and YouTube acapella versions, with indications that proxy services were used for some collection [2]. A filtering mechanism in the code excluded 'non-music' content, suggesting automated classification of scraped material

.

[[1]](https://www.404media.co/hack-reveals-suno-ai-music-generator-scraped-youtube-deezer-and-genius/)## How the Breach Happened

The hacker used a supply-chain worm called 'Shai-Hulud' to compromise a Suno employee, obtaining credentials that unlocked access to the company's GitHub repositories and cloud infrastructure [2]. The breach occurred in November 2025, and the hacker subsequently shared the obtained materials with 404 Media.

Beyond source code, the hacker accessed customer data for hundreds of thousands of Suno users, including email addresses, phone numbers, and Stripe payment information. Suno said it does not store full credit card numbers, as payment processing is handled by Stripe, and determined it was not legally obligated to notify affected users [3].

## Legal Implications

The leaked data directly corroborates allegations made by major record labels in copyright lawsuits filed in June 2024. The Recording Industry Association of America, acting on behalf of Universal Music Group, Sony Music, and Warner Music Group, sued Suno in Boston federal court, accusing the company of 'stream ripping' from YouTube and training on copyrighted recordings without authorization [4].

Suno has acknowledged in court filings that its models were trained on 'essentially all music files of reasonable quality that are accessible on the open internet' — representing 'tens of millions of recordings' — but argued this constitutes fair use [1]. The labels have since moved to expand the scope of their claims, asking the court in May 2026 to add 61,026 recordings to the original 560 works cited in the complaint

.

[[4]](https://www.riaa.com/record-companies-bring-landmark-cases-for-responsible-ai-againstsuno-and-udio-in-boston-and-new-york-federal-courts-respectively/)Warner Music dropped its claims against Suno in November 2025 after reaching a licensing agreement. Universal Music Group and Sony Music continue to litigate, with a hearing before Judge Denise Casper scheduled for July 2026 [4].

## Suno's Defense

In its public response, Suno maintained that its training practices are lawful and focused on enabling original creation. 'Our goal has always been to help people create original new music, not replicate someone else's. That's why we build our models around what we call Original Creation, By Design,' a spokesperson said [3].

The company noted that it 'intentionally does not use artist names as a category of training metadata' and that the exposed source code is outdated. Suno stated that its models 'have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet' [3].

The distinction between 'publicly available' and 'licensed' is central to the legal dispute. YouTube's terms of service prohibit automated scraping, and Deezer has publicly opposed unauthorized AI training on its catalog. The hacked code's reference to proxy services suggests Suno took steps to obscure its scraping activity [2].

## What's Next

The disclosure adds significant evidentiary weight to the ongoing federal litigation at a critical juncture. Legal experts have noted that internal documentation showing the scale and methodology of scraping undermines fair use arguments, particularly when the scraping appears to violate the source platforms' terms of service.

For the broader AI industry, the breach highlights the risks of opaque training data practices. AI companies across text, image, and music generation face mounting legal pressure to disclose and license training data. The outcome of the Suno litigation — now armed with the company's own internal records — is expected to set precedent for how courts treat large-scale copyrighted content ingestion by generative AI systems.

## Further sources

[[1] 404 Media, "Hack Reveals Suno AI Music Generator Scraped YouTube, Deezer, and G… ↗](https://www.404media.co/hack-reveals-suno-ai-music-generator-scraped-youtube-deezer-and-genius/)

[[2] Engadget, "A hacker accessed Suno source code that reportedly details how the c… ↗](https://www.engadget.com/2215772/a-hacker-accessed-suno-source-code-that-reportedly-details-how-the-company-scraped-millions-of-songs/)

[[3] TechCrunch, "Hack suggests AI music generator Suno scraped YouTube for training… ↗](https://techcrunch.com/2026/07/15/hack-suggests-ai-music-generator-suno-scraped-youtube-for-training-data/)

[[4] RIAA, "Record Companies Bring Landmark Cases for Responsible AI Against Suno an… ↗](https://www.riaa.com/record-companies-bring-landmark-cases-for-responsible-ai-againstsuno-and-udio-in-boston-and-new-york-federal-courts-respectively/)

The stories that matter, in one email. Free — unsubscribe anytime.
