Suno has long acknowledged that its AI music generator relied on the scraping of millions of songs available across the internet, but a new hack reveals just how the company pulled from streaming services and websites such as YouTube Music, Deezer and Genius to power its product — all while user information remained vulnerable.
A report in 404 Media on Wednesday, relying on data a hacker provided to the outlet, showed the instructions in the company’s source code had it scrape files from “genius_hq, youtube_music, freesound, jamendo, imp, deezer,” with the stock music libraries Freesound, Jamendo and the International Music Score Library Project among the other sources scraped. The instructions demanded that “non-music” be filtered out. The hacker also had access to Suno’s customer list, which included emails, phone numbers and Stripe payment details, according to the report.
Representatives for Deezer, YouTube Music, Genius, and the stock libraries scraped did not respond to immediate requests for comment.
A Suno spokesperson said the hack was “quickly contained” after the company learned about it in November 2025 and that it primarily exposed “outdated source code that is no longer in use at Suno.” The spokesperson said no sensitive user information was compromised, as the company does not retain full credit card numbers, and that due to the limited breach, it didn’t feel obligated to notify its user base.
“As we have stated in public filings and disclosures, Suno’s AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet,” the spokesperson said.
One file focused on YouTube Music noted it took in “2,013,545 music clips” at the time it was last updated, while another file’s comments about Suno’s datasets included “113,879 hours of youtube_music,” “17,615 hours of genius_hq,” “410 hours of free sound,” “19,514 hours of imslp,” “3,726 hours of jamendo,” “62,117 hours of pond5_music,” “12,287 hours of deezer,” “152,162 hours of ytm_tagged” and “103 hours of musescore_lyrics,” according to the 404 Media report.
Suno has acknowledged in both the filings and its website that its product was trained on “essentially all music files of reasonable quality that are accessible on the open Internet, abiding by paywalls, password protections, and the like, combined with similarly available text descriptions,” though it has claimed such use is protected under fair use law and that it has introduced to prevent its users from producing songs similar to those scraped through the training.
“Our goal has always been to help people create original new music, not replicate someone else’s. That’s why we build our models around what we call ‘Original Creation, By Design,’” the spokesperson said in a statement. “For example, we intentionally do not use artist names as a category of training metadata because we want our models to help people create brand new songs, not music that replicates other artists’ existing work. It’s also why we built Suno with detection filters that block or prevent a user from using specific artist, song, or album names as prompts, and prevent users from uploading lyrics or sound recordings that match existing works.”