Software & SaaS

AI Music Firm Suno Trained on YouTube, Deezer Data, Leaked Code Shows

Hacked source code from AI music generator Suno reveals extensive scraping of YouTube, Deezer, and other platforms for training data. The leak surfaces amid ongoing copyright lawsuits against the company.

Christopher Clark
Christopher Clark covers software & saas for Techawave.
3 min read0 views
AI Music Firm Suno Trained on YouTube, Deezer Data, Leaked Code Shows
Share

Hacked source code from AI music company Suno has revealed that the platform scraped vast amounts of music data from services including YouTube Music, Deezer, and Genius to train its artificial intelligence models. The code, obtained by a hacker who subsequently breached Suno and shared the information with 404 Media, also exposed sensitive customer data, including emails, phone numbers, and payment details. This leak intensifies scrutiny on Suno amidst ongoing copyright infringement lawsuits filed by major record labels.

The leaked data reportedly corroborates allegations that Suno directly extracted songs from YouTube. Suno has previously acknowledged in court filings that its training data was sourced from music accessible on the public internet. The company is currently defending itself in a copyright infringement lawsuit coordinated by the RIAA, arguing that its use of copyrighted works constitutes fair use. In its defense, Suno stated its training data encompasses "essentially all music files of reasonable quality that are accessible on the open internet, abiding by paywalls, password protections, and the like." The newly surfaced code, however, provides specific details on the platforms Suno utilized and the volume of data acquired.

Comments within the leaked code reference pulling data from sources such as "genius_hq, youtube_music, freesound, jamendo, imp, deezer, ytm_tagged," with an intention to filter out non-music content. A file labeled "youtube_music" indicated the ingestion of "2,013,545 music clips." Datasets compiled by Suno included 113,879 hours of material logged from YouTube Music, along with an additional 152,162 hours from "ytm_tagged." The company also incorporated 62,117 hours from stock media library Pond5, 19,514 hours from the International Music Score Library Project, 17,615 hours from Genius, and 12,287 hours from Deezer, totaling decades of audio content. Further code analysis suggested Suno actively searched for a cappella versions of songs on YouTube, potentially to isolate vocal tracks, and utilized proxies from Bright Data for scraping YouTube content. Additionally, the code indicated Suno's use of PodcastIndex to gather approximately 420,000 podcasts.

Legal Battles Escalate Over AI Training Data

The details emerging from the hacked code directly fuel the existing legal battles against Suno. In September 2025, the RIAA amended its complaint, accusing Suno of "stream ripping" from YouTube and circumventing its encryption. The industry group alleged that Suno unlawfully copied songs by bypassing technological measures designed to prevent unauthorized downloads, a claim that this leaked data appears to validate. The labels contend that such circumvention violates the anti-circumvention provisions of the Copyright Act, a claim separate from Suno's fair-use defense concerning the copying itself.

The stakes in the lawsuit are significant. Record labels are seeking statutory damages of up to $150,000 per infringed work and an additional $2,500 for each act of circumvention. In May, Universal Music Group and Sony Music Entertainment sought to expand their case from 560 works to 61,026 identified through audio fingerprinting. This expansion could raise the potential maximum statutory damages from approximately $84 million to over $9 billion, pending a judge's ruling. The hacked data provides concrete evidence that could bolster the labels' claims regarding the scope and nature of Suno's data acquisition.

In response to the breach and the revelations, a Suno spokesperson stated, "As we have stated in public filings and disclosures, Suno’s AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet." Suno acknowledged experiencing a "limited security incident that was quickly contained" in November 2025. The spokesperson asserted that the incident primarily involved outdated source code and that no sensitive personal information was compromised, adding that Suno does not store customers' full credit card numbers. The company concluded that individual breach notifications were not required under applicable privacy laws and has filed necessary training-data disclosures in California.

However, some customers whose records were exposed have reportedly confirmed they received no notification from Suno. The hacker, identifying as ellie.191, claimed to have gained access using a supply-chain worm targeting employee logins. Meanwhile, platforms named in the code are also taking action. Deezer, a music streaming service that actively identifies AI-generated music, is facing accusations of allowing Suno to scrape its data, despite its own tools for detecting AI tracks. Separately, Jamendo, a music licensing platform based in Luxembourg, is suing Suno for allegedly training on a 55,600-track dataset licensed exclusively for non-commercial academic use, without securing a commercial license. Jamendo is seeking at least €17.8 million (approximately $20 million) in damages. Warner Music Group, a former co-plaintiff, settled with Suno in November 2025, entering a licensing partnership that included Suno's acquisition of Songkick. Suno itself recently secured over $400 million in funding in June 2026.

Share