
Suno confirmed a security breach last November that exposed internal details about how it collected millions of songs for training data. The hacker accessed source code and customer records, though the company stated no sensitive personal information was compromised.
How the breach unfolded
The hacker told reporters they infected a Suno employee’s device with a worm, gaining access to GitHub and cloud service credentials. Along with outdated source code, the intruder obtained data on the company’s music-scraping methods and a customer list containing hundreds of thousands of email addresses and phone numbers.
Suno contained the incident quickly and said no full credit card numbers—processed through Stripe—were exposed. Since the leaked customer data was limited, the company decided individual notifications weren’t required under privacy laws.
Details revealed about Suno’s training data
The exposed data showed Suno scraped music and lyrics from YouTube Music, Deezer, Genius, and stock music libraries. The company may have used proxy services to pull audio from YouTube, including acapella tracks, and RSS feeds to collect hundreds of thousands of podcasts.
This isn’t the first time Suno’s data practices have drawn attention. In a 2024 court filing, the company admitted to scraping tens of millions of recordings from the internet, arguing its approach qualified as fair use. Suno has faced a copyright infringement lawsuit from record labels in the US. Late last year, Warner Music Group dropped out of the case as it reached a licensing deal with Suno.
Related: Starlink unveils smaller home dish
AI music tools have sparked debates over copyright and creativity. Suno and similar platforms claim their models learn from publicly available material, while artists and labels argue the practice violates their rights. The breach doesn’t resolve the dispute, but it reveals how one of the most prominent companies in the field built its dataset.
A spokesperson stated the models were trained on publicly available music files and related metadata from the open internet. The company also noted it has systems to prevent users from replicating existing artists’ work, though critics say those protections are easily circumvented.
The hacker’s findings match broader investigations into AI training datasets. One report identified collections containing millions of songs used to train music-generation models, raising concerns about transparency and consent in AI development.
The breach appears contained, but the controversy over Suno’s data practices continues.
For now, the company faces ongoing scrutiny.


