{"slug": "hacked-suno-code-shows-youtube-and-deezer-scraping-behind-ai-music-models", "title": "Hacked Suno code shows YouTube and Deezer scraping behind AI music models", "summary": "Hacked source code from AI music startup Suno reveals the company scraped millions of audio clips from YouTube Music, Deezer, Genius, and other platforms to train its music-generation models, according to a 404 Media report. The code, from 2023-2024, shows Suno ingested over 380,000 hours of music and targeted specific vocal material, contradicting the company's public training-data disclosures. The breach, disclosed by Suno in November 2025, comes as the company shifts strategy toward mainstream music production after a $400 million funding round.", "body_md": "[Mikey Shulman](https://mikey.one/?ref=runtimewire) is trying to move [Suno](https://suno.com/?ref=runtimewire) from AI music provocation into the music industry's supply chain. A [new 404 Media report](https://www.404media.co/hack-reveals-suno-ai-music-generator-scraped-youtube-deezer-and-genius/?ref=runtimewire) makes that job harder: hacked Suno source code described by the outlet shows scraping pipelines aimed at [YouTube Music](https://music.youtube.com/?ref=runtimewire), [Deezer](https://www.deezer.com/?ref=runtimewire), [Genius](https://genius.com/?ref=runtimewire), [Pond5](https://www.pond5.com/?ref=runtimewire), [Jamendo](https://www.jamendo.com/?ref=runtimewire), [Freesound](https://freesound.org/?ref=runtimewire), the [International Music Score Library Project](https://imslp.org/?ref=runtimewire), [MuseScore](https://musescore.com/?ref=runtimewire) lyrics and podcast RSS feeds.\n\nThe report, published July 15, is current. The underlying breach is older. Suno told 404 Media it determined in November 2025 that it had suffered a \"limited security incident\" involving outdated source code that is no longer in use. The code 404 Media reviewed appears to come from 2023 and 2024, meaning the story is best read as a new window into how Suno built earlier training libraries, rather than a disclosure of a new breach this week.\n\nThat distinction matters because Suno's strategy has shifted since the scraping described in the files. Shulman, Suno's co-founder and CEO, wrote in a [June 3 company post](https://suno.com/blog/series-d-announcement?ref=runtimewire) that Suno had raised more than $400 million in Series D funding at a $5.4 billion post-money valuation, led by [Bond Capital](https://www.bondcap.com/?ref=runtimewire) with [IVP](https://www.ivp.com/?ref=runtimewire), Forerunner, Union Square Ventures, Alkeon and Quiet alongside existing investors Matrix, Lightspeed, Menlo Ventures and Schroders Capital. [RuntimeWire reported in June](/article/suno-series-d-mikey-shulman-ai-music) that the round put fresh capital behind Shulman's push to take Suno beyond prompt-based song generation and closer to mainstream music production.\n\n404 Media's reporting now puts numbers around the part of that story Suno has generally described in broader legal and regulatory language. One hacked file called \"youtube_music\" had ingested 2,013,545 music clips when the file was last updated, according to 404 Media. Another file listed dataset totals including 113,879 hours of YouTube Music, 152,162 hours of a dataset labeled ytm_tagged, 62,117 hours of Pond5 music, 19,514 hours of IMSLP, 17,615 hours of Genius, 12,287 hours of Deezer, 3,726 hours of Jamendo, 410 hours of Freesound and 103 hours of MuseScore lyrics. Those listed categories add up to 381,813 hours.\n\n404 Media also reported that other code searched YouTube for acapella versions of songs, suggesting Suno was looking specifically for vocal material, and that the code indicated Suno used proxies through [Bright Data](https://brightdata.com/?ref=runtimewire) to scrape YouTube. Additional code, according to the report, showed Suno used [PodcastIndex](https://podcastindex.org/?ref=runtimewire) to identify 420,000 podcasts with at least five 30-minute episodes and sought to download roughly 1 million hours of podcasts.\n\nSuno's public position has been narrower and more carefully worded. In its [California AB 2013 training-data disclosure](https://help.suno.com/en/articles/9709569?ref=runtimewire), edited January 1, 2026, Suno says its music models are trained on publicly available music files and related metadata accessible on third-party websites on the open internet, and that Suno abides by paywalls and password protections. The same disclosure says Suno's training data consists of tens of millions of public music audio files and corresponding textual metadata, and that Suno has collected data for model training since spring 2023.\n\nThat language aligns with Suno's fair-use posture in copyright litigation. It does not name YouTube Music, Deezer, Genius, Pond5 or the other sources that 404 Media says appeared in the hacked material. Suno has already acknowledged in legal proceedings, according to 404 Media, that its models were trained on essentially all music files of reasonable quality accessible on the open internet and on tens of millions of recordings.\n\n### The founder's bet meets the data question\n\nShulman's pitch has always been unusually personal for a frontier AI company. On his own site, he describes himself as Suno's co-founder, the former first machine learning hire and head of machine learning at Kensho, now part of S&P Global, and a lecturer at MIT Sloan teaching natural language processing for finance. He also calls himself an \"avid mediocre musician,\" a phrase that captures Suno's product thesis better than most corporate copy: the tool is built for people who have musical ideas before they have studio fluency.\n\nSuno's product backs that up. The homepage promises complete songs from a simple prompt, daily free song creation, granular controls for voices and style, paid commercial rights, stem export and Suno Studio, which Suno describes as a web-based generative audio workstation. Paid users can upload or record audio, rewrite lyrics, reorder sections and extract up to 12 time-aligned WAV stems.\n\nThe tension is that Suno's most founder-friendly story and its hardest legal problem come from the same place. Shulman is trying to turn music creation into a consumer and creator workflow that does not require years of training on an instrument or production software. The record industry says that result was built by copying professional recordings at scale without permission. The hacked-code report gives labels, artists and platforms a more concrete map of what Suno allegedly gathered and from where.\n\nSuno pushed back on the security and privacy implications of the breach in its statement to 404 Media. The company said the November 2025 incident was quickly contained, primarily involved outdated source code, and did not compromise sensitive personal information. Suno also said it does not have access to customers' full credit card numbers in Stripe. The hacker who spoke to 404 Media said they accessed information for hundreds of thousands of Suno customers, including emails and/or phone numbers and Stripe payment details depending on how customers logged in.\n\nThose two accounts leave a practical gap for users and customers. Suno says individual notifications were not warranted under applicable privacy laws. 404 Media reported that the hacker provided a sample of customers, some of whom confirmed they had used a phone number to sign up for Suno and said they had not been notified of a breach.\n\n### The licensing pressure is getting more specific\n\nThe report lands as Suno tries to recast itself as a partner to rights holders. In March, the [Associated Press reported](https://apnews.com/article/suno-udio-ai-music-record-labels-849a2d59eab89072154ab32b4db06284?ref=runtimewire) that Shulman said working with the music industry was the only path that made sense, because music is too culturally important to split into AI and non-AI worlds. AP also reported that Sony Music, Universal Music and Warner Records sued Suno and Udio in 2024, and that Suno had settled with Warner while Sony's case continued.\n\nThe money makes that transition urgent. A $5.4 billion post-money valuation gives Suno room to keep shipping, hiring and negotiating, but it also raises the standard for eventual revenue. Suno cannot remain a novelty app if investors are underwriting an AI music platform at that scale. It needs consumer subscriptions, creator workflows, label partnerships, or some combination that converts model capability into durable rights-cleared business.\n\nThat is why the source lists matter. YouTube Music is not a vague symbol of the open web. Deezer is a licensed streaming service. Genius is a lyrics and annotation site with music integrations. Pond5 is a paid stock-media marketplace owned by Shutterstock, according to 404 Media. Podcast RSS feeds raise a separate consent and voice-data question because spoken-word archives were built for distribution, not necessarily model ingestion. A legal theory that treats publicly reachable material as trainable data becomes more brittle as the source mix starts to look like commercial catalogs and creator archives.\n\nSuno's best case is that the hacked code reflects old collection methods, that the models and safeguards have moved on, and that licensing deals or partner-built models can carry future products. Shulman wrote in June that Suno was preparing to roll out a music model developed with industry partners. The 404 Media report raises the cost of that pivot: the company now has to persuade rights holders that partnership terms can settle the past and govern the next generation of models.\n\nFor founders building in AI, Suno is becoming a case study in the cost of early data decisions. Scraping can create a product advantage before a market has settled its licensing norms. Once the product works, the provenance of the training set becomes part of the cap table, the litigation strategy, the enterprise sales process and the customer trust problem. Suno's product has shown there is demand for near-instant song creation. The hacked-code report shows how much of the company may now turn on proving that demand can be served without keeping the original data fight alive.", "url": "https://wpnews.pro/news/hacked-suno-code-shows-youtube-and-deezer-scraping-behind-ai-music-models", "canonical_source": "https://runtimewire.com/article/suno-hacked-code-youtube-deezer-genius-scraping", "published_at": "2026-07-15 14:25:56+00:00", "updated_at": "2026-07-15 14:33:40.332290+00:00", "lang": "en", "topics": ["artificial-intelligence", "ai-ethics", "ai-policy"], "entities": ["Suno", "YouTube Music", "Deezer", "Genius", "Pond5", "Jamendo", "Freesound", "Bright Data"], "alternates": {"html": "https://wpnews.pro/news/hacked-suno-code-shows-youtube-and-deezer-scraping-behind-ai-music-models", "markdown": "https://wpnews.pro/news/hacked-suno-code-shows-youtube-and-deezer-scraping-behind-ai-music-models.md", "text": "https://wpnews.pro/news/hacked-suno-code-shows-youtube-and-deezer-scraping-behind-ai-music-models.txt", "jsonld": "https://wpnews.pro/news/hacked-suno-code-shows-youtube-and-deezer-scraping-behind-ai-music-models.jsonld"}}