2 min read

Suno hack exposed how much music it scraped

A 2025 breach at Suno exposed old source code and datasets pointing to massive scraping from YouTube Music, Genius, Deezer, and more.

Image: Gizmodo

A November 2025 breach at Suno has offered a rare look inside the training pipeline behind the music generation startup. According to 404 Media, a hacker who accessed the company’s systems obtained source code from 2023 to 2024 that appeared to include scraping instructions and internal data showing just how much music Suno had collected from across the web.

The leaked code suggests Suno pulled material from Genius, YouTube Music, Deezer, and stock music libraries including Freesound and the International Music Score Library Project. One file tied to YouTube Music indicated the company had scraped 2,013,545 music clips. Another dataset measured the haul in listening time, including 113,879 hours from YouTube Music, 17,615 hours from Genius, and 62,117 hours from royalty-free site Pond5.

A Suno spokesperson confirmed the incident to Gizmodo.

Recommended reading

Windows zero-day appears as Microsoft ships record patches

“In November of 2025, we determined that Suno had been the subject of a limited security incident that was quickly contained.” “At the time, we immediately conducted an investigation and verified that the incident primarily involved outdated source code that is no longer in use at Suno.”

Suno spokesperson

The breach also reportedly exposed customers' email addresses or phone numbers and Stripe payment details. Suno said “no sensitive personal information was compromised” and added that it does not have access to customers' full credit card numbers through Stripe. The company also said it did not notify affected users individually because, in its view, the incident did not require that under applicable privacy laws.

On the training data itself, Suno argued the hack did not reveal anything new. The company said its systems are designed for “Original Creation, By Design”, and that it does not use artist names as a category of training metadata. It also said it blocks prompts using specific artist, song, or album names, and prevents users from uploading lyrics or recordings that match existing works.

Those claims sit alongside ongoing legal challenges. Universal Music Group, Capitol Records, Atlantic Records, Warner Music, and Sony Music have sued Suno, alleging its model can still generate outputs that closely mimic copyrighted songs. In that case, the labels said a prompt for “1954 rock and roll billy haley comets” produced an output that allegedly copied Bill Haley’s style and melody.

Suno has already acknowledged in legal filings that its training set includes “essentially all music files of reasonable quality that are accessible on the open internet,” while arguing that using that material to train its models is fair use. The leaked code does not settle that question, but it does put concrete numbers on the scale of the scraping behind Suno’s model.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Gizmodo

// Keep reading