A security breach of the AI music platform Suno has revealed that the company’s models were trained on content scraped from major streaming and lyric sites, including YouTube Music, Deezer, and Genius. The leak, reported by 404 Media, provides the first detailed public view of the data sources used to build Suno’s generative models.

According to the leaked source code, Suno collected more than 113,000 hours of audio from YouTube Music, 152,000 hours of tagged YouTube audio, over 17,000 hours from Genius, and more than 12,000 hours from Deezer. The code also references additional sources such as Pond5, Jamendo, Freesound, the International Music Score Library Project (IMSLP), and podcast RSS feeds. In one part of the code, Suno’s developers appear to have searched for a cappella versions of songs on YouTube, presumably to isolate vocal tracks for training.

Suno’s spokesperson said the code that was exposed is “outdated and no longer used by the company.” The company also confirmed that no payment data was compromised and reiterated that its models were trained on publicly available music files and metadata.

The leak comes amid ongoing lawsuits from the Recording Industry Association of America, Universal Music Group, and Sony Music Entertainment. The record labels allege that Suno copied copyrighted recordings without permission to train its AI systems. A key point in the litigation is whether Suno engaged in “stream ripping” – downloading protected audio from YouTube while bypassing technical safeguards. The leaked code appears to support the claim that Suno scraped YouTube recordings, a fact that could affect the company’s fair‑use defense.

The incident also highlights a broader debate in the music industry about the use of copyrighted works to train artificial intelligence. While some creators view AI as a useful tool, many insist that copyrighted music should only be used with permission, transparency, and fair compensation. The outcome of the Suno case may influence how future AI music models are built, licensed, and regulated.

Suno was founded in Cambridge, Massachusetts, and launched its web application in December 2023. It has been integrated into Microsoft Copilot as a plugin, and the company has faced multiple legal challenges over its data‑collection practices. The Shai‑Hulud worm, which infected Suno’s systems, was identified by a threat actor using the handle ellie.191.

For artists and labels, the leak underscores the importance of clear ownership records and metadata. Distributing music through established digital platforms can help establish authorship and rights management, making it easier to contest unauthorized use. Companies such as RouteNote offer free distribution to major services, but no distribution service can prevent all forms of unauthorized training.

The Suno breach does not resolve the legal questions surrounding AI training, but it provides a concrete example of how large AI music generators may source their data. As governments review AI copyright rules and platforms introduce new detection systems, the industry will continue to grapple with the balance between innovation and intellectual property protection.

At present, Suno remains in litigation with UMG and Sony, and the company maintains that its training data consists of publicly available content. The legal and regulatory implications of the leak will unfold as the lawsuits progress.