A hacker breached AI music startup Suno in November 2025, gaining access to source code that allegedly reveals how the company scraped millions of songs and other audio content from the internet. The stolen data, shared with 404 Media, includes details on Suno's training data collection methods and a customer list containing hundreds of thousands of email addresses and phone numbers. Suno confirmed the incident but stated that no sensitive personal information, such as full credit card numbers, was compromised.
What the hacker obtained
The hacker said they infected a Suno employee's system with a worm, which allowed them to steal credentials for GitHub and cloud services. Along with the source code, they accessed a customer list with contact information. Suno's spokesperson noted that the stolen code is outdated and no longer in use, and that the company does not store full credit card numbers in its Stripe system.
Suno's scraping practices exposed
The leaked data indicates that Suno scraped music and lyrics from platforms including YouTube Music, Deezer, Genius and stock music libraries. The company reportedly used proxy services to evade detection while scraping YouTube, even collecting acapella versions of songs. It also used RSS feeds to pull in hundreds of thousands of podcasts. Suno has previously admitted in court filings that it scraped "tens of millions of recordings" from the internet, arguing that its use of copyrighted material constitutes fair use.
Legal and regulatory context
Suno is currently facing a copyright infringement lawsuit from major record labels in the US. Late last year, Warner Music Group dropped out of the case after reaching a licensing deal with the company. Suno's spokesperson reiterated that its AI models are trained on publicly available music files and metadata from third-party websites. The company decided not to notify individual customers about the breach, stating that the limited nature of the exposed information did not warrant such notifications under privacy laws.