AIToday

Suno trained AI on millions of songs scraped from YouTube, Genius, Deezer

The Verge AI3h ago
Suno trained AI on millions of songs scraped from YouTube, Genius, Deezer

Key takeaway

Leaked hacking data has revealed that Suno, an AI music generator facing lawsuits over copyright infringement, trained its models by scraping millions of songs from YouTube Music, Deezer, Genius, and other platforms—including 2,013,545 YouTube Music clips and hundreds of thousands of hours from various sources. The disclosures directly support allegations by the Recording Industry Association of America (RIAA) that Suno intentionally circumvented YouTube's protections to "stream rip" tracks, undermining the company's public defense that its training practices fall under fair use doctrine.

Summaries like this, in your inbox every morning.

Sign up free →

3 Key Points

  • What happened

    A hacking incident exposed that Suno, an AI music generator, scraped millions of songs and lyrics from online platforms including YouTube Music, Deezer, Genius, Pond5, Jamendo, Freesound, and the International Music Score Library Project (IMSLP) to train its models. Leaked data from 2023 and 2024 shows Suno had consumed 2,013,545 YouTube Music clips and sourced hundreds of thousands of hours of content from multiple platforms, including roughly one million hours of podcasts.

  • Why it matters

    Suno is facing multiple lawsuits—including one from the Recording Industry Association of America (RIAA)—alleging it used copyrighted materials without permission. The leaked data directly corroborates the RIAA's claim that Suno circumvented YouTube's copyright protections through "stream ripping." Suno has defended its practices as legal under fair use doctrine, but these disclosures show the scope of the scraping was far larger than previously known and confirm allegations it deliberately sourced a cappella tracks to extract vocal-only audio.

  • What to watch

    The hacking incident, disclosed in November 2025, also exposed customer information including email addresses, phone numbers, and Stripe payment details, though Suno stated no sensitive payment data was compromised. The company did not notify affected customers, stating it determined individual notifications were not required under privacy law.

In Depth

In November 2025, a security breach at Suno exposed internal data that laid bare the AI music generator's data collection practices. A hacker identified as "ellie.191" obtained source code from 2023 and 2024, along with detailed scraping instructions and datasets, and shared the materials with 404 Media. The leaked files reveal that Suno systematically downloaded music from YouTube Music, Deezer, Genius, Pond5, Jamendo, Freesound, the International Music Score Library Project (IMSLP), MuseScore, and podcasts via PodcastIndex. According to one file, Suno had consumed 2,013,545 YouTube Music clips at the time of the last update. Across all sources, the company had compiled hundreds of thousands of hours of YouTube Music, thousands of hours of Deezer, Genius, IMSLP, Jamendo, and Pond5, hundreds of hours of Freesound and MuseScore lyrics, and roughly one million hours of podcasts.

The scraping operation was not haphazard. Code disclosed by the hacker shows that Suno employed a third-party company called Bright Data to pull audio from YouTube, and specifically searched for a cappella versions of songs on the platform to isolate vocal-only audio—a practice suggesting the company aimed to extract and repurpose isolated vocal tracks. These disclosures directly corroborate allegations made by the Recording Industry Association of America (RIAA) in an ongoing lawsuit, which claims that Suno unlawfully circumvented YouTube's copyright protections through intentional "stream ripping." Suno has been sued multiple times for allegedly training on copyrighted materials without permission. In its own defense filings, the company has argued that training on copyrighted materials and publicly available music files from the open internet is legally permitted under fair use doctrine. Suno maintains that stance, with an unnamed spokesperson telling 404 Media: "As we have stated in public filings and disclosures, Suno's AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet."

The breach also exposed customer information, including email addresses, phone numbers, and Stripe payment details. Some customers contacted by 404 Media confirmed they had signed up for the service and said that Suno never notified them about the security incident. In a statement, a Suno spokesperson said the company became aware of the incident in November 2025 and quickly contained it. The company stated: "At the time, we immediately conducted an investigation and verified that the incident primarily involved outdated source code that is no longer in use at Suno and that no sensitive personal information was compromised. Importantly, Suno does not have access to customers' full credit card numbers in Stripe." The spokesperson added that based on the limited nature of the customer information believed to be involved, "we determined that individual notifications were not warranted under applicable privacy laws." This assertion—that notification was unnecessary—conflicts with the apparent scale of exposed customer data and may face scrutiny from regulators or affected users.

Context & Analysis

Suno's position in ongoing litigation has been strengthened by the leaked data, which transforms the RIAA's allegations from speculation into documented evidence. The hacker's disclosure of source code and scraping instructions directly supports the RIAA's claim that Suno intentionally circumvented YouTube's copyright protections—a violation distinct from the fair use defense Suno has been mounting. Suno has consistently avoided public disclosure of its training data sources, stating only that it trained on "publicly available music files and related metadata accessible on third-party websites on the open Internet." The leaked files reveal not just what was scraped, but how: the deliberate search for a cappella versions to isolate vocals, the use of third-party scraping services like Bright Data, and the systematic scale (over 2 million YouTube Music clips alone) suggest an industrial-grade data collection operation that goes well beyond passive use of public content.

The security incident itself, discovered in November 2025, exposed customer payment and contact information alongside the training data—a compounding embarrassment for a company arguing it should be trusted with copyrighted content. Suno's assertion that "no sensitive personal information was compromised" contradicts the hacker's apparent access to email, phone numbers, and Stripe details, and the company's refusal to notify customers invokes a narrow reading of privacy law that may not hold up if regulators or affected users challenge it.

FAQ

What sources did Suno scrape music from?
Suno scraped from YouTube Music, Deezer, Genius, Pond5, Jamendo, Freesound, the International Music Score Library Project (IMSLP), MuseScore, and podcasts via PodcastIndex. It also used a third-party company called Bright Data to scrape music from YouTube.
How many songs did Suno train on?
A file shows Suno had consumed 2,013,545 YouTube Music clips. Across all platforms, datasets included hundreds of thousands of hours of YouTube Music, thousands of hours of Deezer, Genius, IMSLP, Jamendo, and Pond5, hundreds of hours of Freesound and MuseScore lyrics, and roughly one million hours of podcasts.
When was the security breach discovered?
Suno became aware of the security incident in November 2025 and stated it was quickly contained. The company did not notify customers about the breach, arguing that individual notifications were not required under applicable privacy laws.

Discussion

No discussion yet for this article

Stay ahead with AI news

Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.

Get Started Free

Free · takes 30 seconds · unsubscribe anytime

1 minute a day. The AI essentials.

200+ sources · Email / LINE / Slack

Get it free →