Generative AI music platform Suno suffered a major security incident, with internal source code and data collection information leaked, exposing its large-scale data scraping activities used to train AI music models. Leaked documents show that Suno previously used automated programs to collect large amounts of music, lyrics, and audio materials from platforms such as YouTube Music, Deezer, and Genius for model training.

According to reports, the incident occurred at the end of 2025, when a hacker "ellie.191" obtained Suno employee credentials through a supply chain attack and further stole company internal files. A folder containing more than 2 million YouTube video clips has drawn attention. In addition, the leaked data shows that Suno's crawler system obtained over 17,000 hours of lyric data from Genius, over 12,000 hours of song content from Deezer, and over 62,000 hours of audio material from Pond5. The related code also includes a filtering mechanism to exclude non-music files to ensure the quality of training data.

Music Playing

This leak may further increase the pressure of copyright lawsuits facing Suno. The Recording Industry Association of America (RIAA) had previously sued Suno on behalf of record companies such as Universal Music, Sony Music, and Warner Music, accusing it of using copyrighted music without authorization to train AI models. Suno had mainly defended itself based on the "fair use" principle, arguing that publicly available internet data can be used for AI training, but the data scraping process shown in the leaked code may become important evidence for copyright holders.

In addition to the source code, the hacker also obtained some user database information, including email addresses, phone numbers, and partial credit card metadata processed through Stripe. Suno stated that this incident was a "limited security event," involving some outdated code, and no complete credit card numbers were leaked, so they did not proactively notify users.

As the sources of training data for AI companies have become a focus of industry regulation, the Suno incident once again highlights the complex challenges in the development of generative AI, including data acquisition compliance, copyright authorization, and user privacy protection.