Retro computer with a pixelated smiley face on screen, surrounded by yellow musical notes on a purple background.

Hacked Suno Files Reveal How the AI Music Startup Built Its Training Library

Leaked files reveal Suno training data from YouTube Music, Deezer and Genius, intensifying copyright lawsuits and security questions.

In short

Leaked files reportedly show that Suno built its AI music models using millions of clips from YouTube Music, Deezer, Genius and other platforms. The breach also appears to have exposed some customer data, adding privacy concerns to the company’s already serious copyright disputes.

  • Leaked files reportedly reveal Suno scraped millions of songs, lyrics and audio clips for training.
  • The material suggests possible stream ripping from YouTube Music and scraping through third-party tools.
  • Suno is already facing lawsuits from the music industry over alleged copyright misuse.
  • The same security incident reportedly exposed customer email addresses, phone numbers and billing-related data.
  • Suno says the breach was contained and that its models were trained on publicly available internet music files.

Suno’s secret training library appears to have been far larger and more aggressively assembled than the company has publicly detailed, according to hacked files reviewed by 404 Media. The materials reportedly show the AI music generator ingested millions of songs, lyrics, and other audio sources from platforms including YouTube Music, Deezer, and Genius, deepening the copyright and data security scrutiny already surrounding the startup.

The leak matters because Suno has been fighting allegations that it trained its music models on copyrighted works without permission. The newly surfaced files do not settle the legal dispute, but they offer one of the clearest looks yet at the scale and method of the company’s data collection, including evidence that suggests possible “stream ripping” from YouTube and the use of third-party scraping services.

At the same time, the incident appears to have exposed some customer information, raising separate questions about security, disclosure, and how much trust users should place in generative AI platforms that handle sensitive account and payment data.

What the hacked files allegedly show

The leaked material, according to 404 Media, includes Suno source code from 2023 and 2024, along with internal instructions for pulling audio from multiple online repositories. Those repositories reportedly include YouTube Music, Deezer, Genius, Pond5, Jamendo, Freesound, and the International Music Score Library Project, commonly known as IMSLP.

The files also reportedly reference the downloading of podcast audio through PodcastIndex, suggesting Suno explored much broader audio sources than just commercially released music. In practical terms, that points to a dataset built not only from songs, but also from related spoken-word and reference material that could help a model learn structure, style, rhythm, voice, and lyrical patterns.

One of the more striking details in the leak is a file tied to YouTube Music that reportedly states Suno had already consumed 2,013,545 clips at the time it was last updated. Other dataset records allegedly describe collections spanning hundreds of thousands of hours of music from YouTube Music and thousands of hours from Deezer, Genius, IMSLP, Jamendo, and Pond5.

Additional code reportedly shows Suno searched for acapella versions of songs, potentially to isolate vocal tracks for model training. That approach would be consistent with a system designed to learn how voices and instrumentals interact in full songs, rather than merely analyzing metadata or short previews.

Why the training source disclosure matters

The disclosure matters because Suno has long resisted giving a full accounting of what data it used to train its models and how that data was gathered. In an industry where model performance is often tied to the size and quality of training sets, those decisions can shape everything from output quality to legal exposure.

Suno is already facing lawsuits from the music industry, including a case brought by the Recording Industry Association of America. In that litigation, Suno has argued that training on publicly available music and copyrighted material can fall under fair use. The music industry disputes that view and says the company’s practices crossed legal lines.

The leaked files may not answer the fair-use question, but they add factual weight to the argument that Suno’s data collection went far beyond casual web scraping. If the company did use content from platforms with anti-circumvention protections, the legal stakes could extend beyond copyright law into claims that it bypassed technical barriers meant to prevent unauthorized copying.

How does this relate to the YouTube “stream ripping” claim?

It matters because the leaked instructions reportedly align with accusations that Suno intentionally extracted audio from YouTube rather than relying only on files that were openly downloadable. The RIAA previously amended its complaint to allege the company unlawfully bypassed YouTube’s copyright protections by stream ripping tracks from the platform.

Stream ripping is a sensitive claim because it suggests a deliberate process for converting streamed audio into stored training files. If proven, that would raise questions not only about infringement, but also about whether Suno circumvented platform safeguards that are commonly used to limit unauthorized copying.

The leak does not itself prove every allegation in the lawsuit, but it appears to lend technical context to the industry’s claims. For rights holders, that context may be as important as the raw count of files, because it speaks to intent, workflow, and the mechanics of collection.

The reported files suggest Suno trained on a wide range of music and audio sources, while the company says its models were built from publicly available files and related metadata on third-party websites.

What was in Suno’s datasets?

Based on the leaked descriptions reported by 404 Media, Suno’s training corpora included several different kinds of audio and lyric sources. Some were music libraries or independent media repositories, while others were more traditional music-annotation or lyric sites.

That mix is notable because it suggests Suno may have been assembling a multi-layered dataset designed to teach its model how songs are structured, how vocals align with instrumentals, and how lyrical phrasing maps to musical timing. In other words, the company may have been building training material not just for generation, but for musical coherence.

Source or dataset Reported scale or status What it may have provided
YouTube Music 2,013,545 clips reportedly consumed Large-scale song audio and performance data
Deezer Thousands of hours reportedly included Commercial music catalog audio
Genius Thousands of hours or related content Lyrics and annotation context
IMSLP Thousands of hours reportedly included Public-domain sheet music and recordings
Jamendo / Pond5 Thousands of hours reportedly included Licensed or creator-uploaded audio
Freesound / MuseScore lyrics Hundreds of hours reportedly included Effects, samples, and lyric data
Podcasts via PodcastIndex About 1 million hours sought Spoken-word audio and voice variety

The presence of sources like IMSLP and Freesound is important because those libraries may contain material with different licensing conditions than major commercial catalogues. But the inclusion of YouTube Music and Deezer is where much of the legal heat lies, because those services are central to the recorded-music ecosystem and are closely watched by labels and publishers.

How Suno responded to the leak

Suno says the leaked material should be viewed in light of what it has already said in public filings: that its models were trained on public music files and related metadata found on third-party websites. The company has not publicly provided a full itemized list of datasets, and the leak appears to give outside observers more detail than Suno has volunteered on its own.

In a statement reported by 404 Media, a Suno spokesperson said the company became aware of a security incident in November 2025 and that it responded quickly. The spokesperson said the investigation found that the issue largely involved obsolete source code that is no longer used and that no sensitive personal information was compromised.

The same statement also said Suno does not hold full customer card numbers because Stripe handles that information, and that, given the limited scope of the data believed to be involved, the company determined direct user notices were not required under applicable privacy laws.

That explanation may address some regulatory questions, but it may not fully reassure users who expect a generative AI service to proactively disclose any incident that touches account details, phone numbers, or billing data. Even if the data exposure was narrow, the breach adds another layer to a story already dominated by trust issues.

What did the company say about training data?

It said its models were trained on publicly available music files and related metadata accessible from third-party websites on the open internet. That formulation is broader than some users might expect, and it leaves open the question of how “publicly available” data was collected, whether platform terms were followed, and whether copyright owners consented.

For music labels, publishers, and songwriters, those distinctions are not academic. They go to the heart of whether an AI company is merely indexing lawful content or building a commercial product atop material that should have required licenses.

Why the security incident matters too

The hack is not only a copyright story; it is also a privacy and cybersecurity story. The leaked customer data reportedly included email addresses, phone numbers, and Stripe-related payment details. 404 Media said some users it contacted confirmed they had accounts with Suno and said they had not been warned about a breach.

That combination is important because AI startups often collect both creative content and customer data at the same time, creating multiple exposure points. A breach can reveal internal code, reveal product strategy, and expose personal information in one event. In this case, the security incident appears to have produced exactly that kind of overlap.

Even if no full card numbers were accessible, contact details and billing metadata can still be useful for phishing, identity targeting, and social engineering. Customers who subscribe to fast-growing AI products may be especially vulnerable if they assume a service’s flashy public face implies mature security operations behind the scenes.

  • Leaked code reportedly maps out Suno’s music-data collection pipeline.
  • The materials suggest large-scale scraping from YouTube Music and other platforms.
  • Suno is already being sued over alleged copyright misuse in AI training.
  • The incident may have exposed customer contact and billing-related information.
  • The company says the breach was contained and did not require user notices.

How big was the reported data haul?

The scale appears to be enormous. The leaked files reportedly refer to millions of clips and hundreds of thousands of hours of music from different services, plus an attempt to gather roughly 1 million hours of podcasts. Even if some of those figures represent targeted experiments rather than finalized training sets, they still indicate industrial-scale collection.

That scale helps explain why Suno’s output can sound more polished than early music-generation systems that struggled with structure or coherence. Music is a deeply patterned medium, and large datasets tend to improve a model’s ability to imitate tempo, harmonic movement, lyrical pacing, and genre cues.

But more data also raises more questions. The bigger the scrape, the harder it becomes for a company to argue that it made careful source-by-source licensing decisions. At a certain point, the burden shifts from “Did the company use data?” to “How did it lawfully obtain data at this volume?”

Why would Suno search for acapellas?

It likely wanted isolated vocals to train or evaluate how its system handles singing without instrumental interference. Acapella tracks can help a model learn vocal tone, phrasing, and rhythm with greater clarity than full mixes, which contain overlapping instruments and effects.

That detail is a reminder that training pipelines are not always simple dumps of raw files into a model. They are often curated and refined, with engineers seeking out special audio versions that help the model learn a particular capability.

What the case means for AI music going forward

The leaked files arrive at a moment when the entire AI music sector is under pressure to explain how it sources training content. Like the AI image and text industries before it, music generation is now being forced to confront the gap between technological capability and rights-holder consent.

That tension is especially intense in music because songs are not just data. They are commercial works with identifiable authors, licensing markets, and deeply organized rights structures. A single track can involve multiple owners, from recording-rights holders to publishers and songwriters. That complexity makes broad scraping especially combustible.

If the allegations hold up, Suno could become a defining test case for whether AI companies can rely on public availability alone, or whether courts will require a more formal licensing framework. The outcome could affect not just Suno, but every startup building generative systems for audio creation.

There is also a broader reputational issue. Startups that sell creativity tools often market themselves as collaborators with artists, not extractors of their work. Leaks like this can quickly erode that framing, especially if the underlying data practices appear secretive or adversarial.

Timeline of the Suno controversy

The current dispute did not begin with the leak, but the leak may sharpen a controversy already years in the making. Here is a simplified timeline of the major developments reported in this case.

When What happened Why it matters
2023–2024 Reported Suno source code and scraping instructions were created Shows the alleged development of the company’s data pipeline
Last update of key files YouTube Music dataset reportedly listed 2,013,545 clips Indicates the scale of the collection effort
Last year RIAA amended its lawsuit to include stream-ripping allegations Introduced claims of deliberate circumvention of platform protections
November 2025 Suno says it discovered a security incident Marks the start of the breach response timeline
July 2026 404 Media reports on the leaked files Brings the alleged training sources into public view

What happens next?

The immediate next steps are likely to play out in court and in public disclosures. Rights holders will probably use the leak to support their claims about Suno’s data practices, while the company may continue to argue that its training methods are lawful under fair use and that the incident was limited in scope.

For regulators and lawmakers, the case adds another example of how generative AI products can sit at the intersection of copyright, consumer privacy, and cybersecurity. A company can be litigating over the provenance of its data while also defending its handling of user information, and both issues can feed into the same trust crisis.

For artists and labels, the leak may intensify pressure to demand transparency before music is used to train commercial AI systems. For users, it is a reminder that even creative tools can hide complex data pipelines and security risks behind a simple consumer interface.

And for Suno, the challenge is bigger than this single breach. The company now has to convince courts, customers, and the music industry that its product was built responsibly, even as leaked files appear to suggest a very different picture of how its models were assembled.

Suno says it used publicly available music and metadata from the open internet, but the leaked files reportedly indicate a far more expansive collection process involving multiple platforms and millions of clips.

That gap between public explanation and reported internal reality is what makes the story so consequential. In the fast-moving AI music race, access to vast amounts of audio may drive technical advantage, but the long-term winners will likely be the companies that can also prove they earned that access lawfully.

Frequently asked questions

What did the Suno leak reveal?

The Suno leak reportedly revealed internal code and scraping instructions showing the company collected millions of songs, lyrics and audio clips from services such as YouTube Music, Deezer, Genius, Jamendo, Pond5 and others for AI training.

Did Suno scrape YouTube Music for training data?

According to the leaked files reported by 404 Media, yes. One file reportedly states that Suno had consumed more than 2 million YouTube Music clips, and other code suggests the company used methods that may amount to stream ripping.

Is Suno being sued over copyright issues?

Yes. Suno is already facing major music-industry litigation, including claims from the Recording Industry Association of America that it used copyrighted works improperly and may have circumvented YouTube protections to collect audio.

Was customer data exposed in the Suno breach?

Yes, reportedly. The hacked data appears to have included email addresses, phone numbers and Stripe-related payment details, although Suno says no full card numbers were accessible and that the incident was contained.

How did Suno respond to the security incident?

Suno says it discovered the incident in November 2025, investigated it immediately and concluded that it involved outdated source code rather than sensitive personal information. The company said it did not believe individual notifications were legally required.

Share this 🚀