Suno Source Code Leaked: Hackers Reveal Large-Scale Music Data Scraping Used to Train AI Models

Technology17.Jul.2026 01:203 min read

Generative AI music platform Suno has suffered a supply chain attack that exposed its internal source code and data collection details, revealing that it had scraped large volumes of music, lyrics, and audio materials from multiple platforms for AI model training. The incident also involved the leak of some user database information and could further intensify the copyright litigation pressure facing Suno.

Suno Source Code Leaked: Hackers Reveal Large-Scale Music Data Scraping Used to Train AI Models

Suno, a generative AI music company, has been hit by a serious security breach that exposed internal source code and documents tied to how it gathered material for model training. The leaked files point to large-scale automated collection of music-related content from platforms such as YouTube Music, Deezer, and Genius, raising fresh questions about how AI music systems are built and what data they rely on.

According to reports, the incident took place in late 2025. A hacker using the name “ellie.191” allegedly gained access through a supply-chain attack, obtained employee credentials, and then extracted internal company materials. What emerged was not only code, but also operational details that appear to describe Suno’s data ingestion pipeline.

Leaked materials shed light on training data collection

The documents suggest that Suno’s data gathering efforts were broad in scope and pulled from several major content sources. One of the most closely watched revelations involves a repository containing more than 2 million YouTube video clips.

Other figures mentioned in the leaked materials include:

  • More than 17,000 hours of lyric data sourced from Genius

  • More than 12,000 hours of song content obtained from Deezer

  • More than 62,000 hours of stock and source audio collected from Pond5

  • Over 2 million related video clips gathered from YouTube

The leaked code also reportedly included filtering logic designed to remove non-music files, suggesting an effort to improve the quality and relevance of the training dataset.

Copyright pressure could intensify

The breach may have implications far beyond cybersecurity. Suno was already facing legal pressure over copyright issues, and the newly exposed material could add to that scrutiny.

The Recording Industry Association of America (RIAA) previously sued Suno on behalf of major labels including Universal Music, Sony Music, and Warner Music. The core allegation is that the company trained its AI systems on copyrighted music without authorization.

Until now, Suno has largely leaned on a fair use defense, arguing that publicly accessible online material can be used to train AI models. But if the leaked code accurately reflects systematic scraping and ingestion workflows, rights holders may view it as stronger evidence in support of their claims.

The incident does not just expose code. It potentially exposes the mechanics behind how copyrighted music, lyrics, and audio may have been assembled at scale for AI training.

User information was also affected

The breach was not limited to engineering assets. The hacker also reportedly accessed part of Suno’s user database, including email addresses, phone numbers, and some credit card metadata processed through Stripe.

Suno described the matter as a “limited security incident” and said the exposed code included some outdated components. The company also stated that full credit card numbers were not leaked. Based on that assessment, it reportedly did not proactively notify users.

A wider warning for the AI industry

The Suno incident highlights two pressures that increasingly define the generative AI sector. The first is the growing debate over whether training data has been obtained lawfully, with proper licensing or clear legal justification. The second is the responsibility companies carry when it comes to protecting internal systems, sensitive business information, and user data.

As regulators, copyright holders, and the public continue to focus on the origins of AI training datasets, this leak is likely to remain significant. It offers a rare look into the internal workings of an AI music platform while also underscoring how legal risk, privacy concerns, and cybersecurity failures can collide in a single event.