Suno Hacked: Breach Exposes How AI Music Tool May Have Scraped Millions of Songs

A hacker broke into Suno's systems in November 2025, accessed customer data, and found source code that reportedly shows the AI music generator pulled audio from YouTube, Deezer, and podcast feeds without permission.

AI2Day Newsdesk· 3 min read
Photoreal news-editorial photograph, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • A hacker breached Suno, an AI music generator that lets users create songs from text prompts, in November 2025.
  • The attacker used a supply chain attack, a method where hackers compromise a third-party tool or vendor to sneak into a bigger target, to steal an employee's login credentials.
  • Source code exposed in the breach reportedly shows Suno scraped audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds.
  • Customer data exposed includes email addresses, phone numbers, and partial credit card numbers held by payment processor Stripe.
  • Suno did not tell customers about the breach and describes it as a "limited security incident that was quickly contained."

A hacker broke into Suno's systems and walked away with more than stolen data. They also found what could become key evidence in one of the music industry's biggest legal fights.

Suno is an AI music generator, a tool that lets anyone type a description and receive a finished song in seconds. The hacker told 404 Media, which first reported the story, that they gained access by pulling off a supply chain attack. That means they did not hit Suno directly. Instead, they compromised something connected to Suno, a third-party service or vendor, and used that foothold to steal an employee's login credentials. From there, they got inside.

What they found inside matters. The exposed source code reportedly shows Suno pulling audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds. That detail lands in the middle of active litigation. Major record labels are already suing Suno, arguing that scraping audio from YouTube violates the Digital Millennium Copyright Act, a US law that prohibits deliberately bypassing a platform's technical protections, and breaks YouTube's own terms of service.

Suno has previously said it trains on "publicly available music files" and argues this falls under fair use, a legal principle that allows limited use of copyrighted material without permission in certain circumstances. Courts have not yet agreed or disagreed. The source code, if verified, could sharpen the record labels' case considerably.

Competitor Udio faces similar scraping allegations. Google, which owns YouTube, is itself dealing with copyright claims from book publishers over its own AI training practices.

For Suno's customers, the breach also has a direct and personal dimension. The hacker accessed email addresses, phone numbers, and partial credit card numbers stored through Stripe, the payment platform Suno uses to handle subscriptions. Partial card numbers alone are not enough for someone to make fraudulent purchases, but combined with email addresses they can fuel convincing phishing emails, fake messages designed to trick you into handing over more.

Suno confirmed a breach occurred but called it a "limited security incident that was quickly contained." The company did not notify customers. The breach happened in November 2025.

Should Suno customers be worried?

Yes, in a practical and limited way. Your full card number was not exposed, but your email and phone number were. Watch for emails or texts that appear to come from Suno, Stripe, or your bank asking you to verify payment details or log in urgently. Legitimate companies do not ask for passwords or full card numbers by email. If you use the same password for Suno as for other services, change it now and turn on two-factor authentication, an extra login step that sends a code to your phone, wherever your accounts allow it.

© 2026 AI2Day