Hacked Suno Data Reveals Millions of Songs Scraped From YouTube Music, Deezer, and More
A security breach at the AI music generator exposed internal code showing the company pulled over two million clips from streaming platforms, and some customers say they were never told their data was accessed.

Key points
- A hacker accessed Suno's internal systems in November 2025 and shared code with journalists at The Verge AI that revealed how the company built its training data.
- Suno's scraped data included at least 2,013,545 clips from YouTube Music, plus hundreds of thousands of hours from Deezer, Genius, and other platforms.
- The Recording Industry Association of America (RIAA), the trade body that represents major record labels, had already sued Suno and alleged it "stream ripped" tracks by bypassing YouTube's copyright protections.
- Customer data accessed in the breach included email addresses, phone numbers, and payment details tied to the Stripe billing service.
- Suno told reporters the breach was contained quickly and that individual customer notifications were not legally required.
Suno, the startup behind an AI music generator that lets users create original-sounding songs by typing a text prompt, built its AI by scraping millions of tracks from streaming platforms including YouTube Music, Deezer, and the lyrics site Genius. That is the picture that emerges from internal company code exposed in a hacking incident and reported by The Verge AI.
The leaked files include scraping instructions, lists of data sources, and a record showing Suno had consumed more than two million YouTube Music clips by the time the relevant file was last updated. Other datasets covered hundreds of thousands of hours of audio from YouTube Music, thousands of hours from Deezer and Genius, and roughly one million hours of podcasts pulled through a tool called PodcastIndex.
One section of code suggests Suno used a third-party data company called Bright Data to pull audio from YouTube. Another apparently shows the company searched specifically for a cappella recordings, meaning vocals with no music, to isolate singing from background tracks.
Does this mean Suno broke the law?
That question is currently before the courts. The RIAA filed a lawsuit against Suno alleging it used copyrighted recordings without permission. Suno has publicly admitted to training on copyrighted material but argues this is legal under fair use, a US legal principle that allows limited use of protected content under certain conditions. A later amendment to the lawsuit added the more specific claim that Suno bypassed YouTube's own copy-protection systems, something the newly leaked code appears to support.
Suno's spokesperson said the company has always acknowledged training on "publicly available music files and related metadata accessible on third-party websites on the open internet."
The breach also touched customer records. The hacker accessed email addresses, phone numbers, and Stripe payment data for some users. Several customers confirmed to reporters that they had signed up for Suno but said the company never told them about the breach.
Suno's statement said it discovered the incident in November 2025, contained it quickly, and determined that the data involved was limited enough that privacy laws did not require individual notifications. The company also said it never holds customers' full credit card numbers.
For current Suno users, the practical advice is straightforward: check whether your email address appears in any public data-breach tracking services, consider updating your password, and watch for unexpected charges on whatever payment method you used to subscribe.



