The Breach That Pulled Back the Curtain
A recent security breach targeting Suno AI, a prominent music generation tool, has provided an unprecedented look into the company's training data acquisition methods. A hacker, operating under the moniker ellie.191, gained access to Suno's internal source code in November 2025 through a supply chain attack, using an employee's credentials. The leaked data, shared with 404 Media, includes source code from 2023 and 2024, revealing explicit instructions and details about the scope of Suno's scraping activities.
This incident has seemingly validated years of allegations from musicians and record labels who suspected that AI music services were built upon their copyrighted work without permission. While Suno has acknowledged in court filings that its models were trained on "essentially all music files of reasonable quality that are accessible on the open internet," the hack offers concrete evidence of the specific platforms and scale of this data collection.
Millions of Tracks and Hours Scraped
The leaked files paint a clear picture of the vast amount of audio data Suno ingested. One file, specifically labeled "youtube_music," recorded over 2 million music clips. In terms of hours, the data shows extensive scraping from numerous sources:
- Over 113,000 hours from YouTube Music
- More than 17,000 hours from Genius HQ
- Over 12,000 hours from Deezer
- More than 62,000 hours from Pond5, a Shutterstock-owned stock music site
- Approximately 1 million hours of audio from around 420,000 podcasts identified through RSS feeds
The source code also indicated that Suno specifically sought out acapella versions of songs on YouTube to capture clean vocals for its models. To circumvent YouTube's anti-scraping measures, Suno reportedly utilized proxy services from a company called Bright Data. The inclusion of Genius as a source also means that copyrighted lyrics were allegedly ingested without permission, expanding the legal exposure beyond sound recordings to written compositions.
Legal Ramifications and the Fair Use Debate
This hack significantly impacts the ongoing legal battles between AI music generators and the music industry. Major record labels, including Universal Music Group, Sony Music Entertainment, and Warner Music Group, have filed copyright infringement lawsuits against Suno, alleging that the company used their artists' songs without consent or proper licensing. The Recording Industry Association of America (RIAA) has specifically accused Suno of "stream ripping" from YouTube, bypassing the platform's copy protections.
Suno, like many AI companies, has consistently argued that its use of original material for training data falls under the legal doctrine of "fair use." However, the leaked source code, which explicitly details the scraping of copyrighted content from platforms like YouTube Music and Deezer that prohibit such actions in their terms of service, is expected to severely undermine Suno's legal defense. While Suno has stated that the exposed code is "outdated" and no longer in use, and that no sensitive personal information was compromised, the hack provides a rare and detailed look into the "black box" of AI model construction.
