HACKER BROKE INTO SUNO AND FOUND TWO MILLION YOUTUBE SONGS SCRAPED TO TRAIN ITS AI AND THE COMPANY HID IT FOR MONTHS
A hacker used a supply chain attack last November to steal an employee’s credentials at Suno, the AI music generator currently facing lawsuits from major record labels, and walked out with source code that tells a damning story. The code reveals that Suno systematically scraped decades of audio from YouTube Music, Deezer, Genius, Pond5, and a library of podcast RSS feeds to train its models. The inventory is detailed in the hacked files: more than two million clips from YouTube Music alone totaling 114,000 hours of audio, nearly 12,000 hours from Deezer, 18,000 from Genius, and around a million hours of speech scraped from 420,000 podcasts.
The scraping techniques appear to have deliberately circumvented YouTube’s protections against data collection, a practice the record labels suing Suno say violates the Digital Millennium Copyright Act in addition to breaking YouTube’s own terms of service.
Here is what makes this worse: the breach happened in November 2025, and Suno did not tell its customers. The hacker also accessed Suno’s customer list, which included email addresses, phone numbers, and Stripe payment details. The company’s statement describes it as “a limited security incident that was quickly contained.” Two million scraped songs and months of silence about a customer data exposure is not a contained incident. It is a cover-up, and the record labels now have the receipts they have been looking for.
Keywords: Suno AI hack, AI music training data, YouTube scraping, AI copyright lawsuit