AIToday

Suno AI music tool hacked; source code reveals YouTube scraping

TechCrunch AI3h ago
Suno AI music tool hacked; source code reveals YouTube scraping

Key takeaway

Suno, an AI music generator, was breached via a supply chain attack that exposed source code allegedly showing the platform scraped decades of audio from YouTube Music, Deezer, Genius, and other sources to train its model. This contradicts Suno's public stance that it trains on 'publicly available' music under fair use; record labels suing the company say the scraping violates copyright law and YouTube's terms of service. The hack also exposed customer emails, phone numbers, and partial credit card data.

Summaries like this, in your inbox every morning.

Sign up free →

3 Key Points

  • What happened

    The AI music generator Suno was hacked via a supply chain attack that exposed source code showing the platform allegedly scraped decades of audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds to train its model. The hacker also obtained customer data including emails, phone numbers, and partial credit card numbers. Suno says the November 2025 breach was a 'limited security incident that was quickly contained' and did not notify customers at the time.

  • Why it matters

    Suno has claimed it trains on 'publicly available music files' under fair use doctrine, but major record labels suing the company argue the scraping violates the Digital Millennium Copyright Act (DMCA) and YouTube's terms of service. The leaked source code may strengthen copyright infringement claims against Suno and expose the gap between the company's public defense and its actual training practices. Competitor Udio faces the same YouTube scraping allegations.

  • What to watch

    The hack occurred in November 2025 but was not disclosed to customers at the time. The leaked source code details could significantly impact Suno's ongoing legal battles with record labels over copyright infringement.

In Depth

Suno, a prominent AI music generator, was hacked through a supply chain attack, according to reporting from 404 Media on July 15, 2026. The attacker exploited an employee's credentials to gain access to Suno's source code, which allegedly documented how the platform scraped decades of audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds for training purposes. In addition to the source code breach, the hacker obtained sensitive customer data: email addresses, phone numbers, and partial credit card numbers stored in Stripe. Despite the November 2025 breach date, Suno did not disclose the incident to affected customers, instead characterizing it as a 'limited security incident that was quickly contained.' The leaked source code is particularly significant because it directly contradicts Suno's public legal defense. The company has consistently argued that it trains its AI on 'publicly available music files' and can do so legally under the fair use doctrine — a flexible carve-out in copyright law. However, major record labels actively suing Suno dispute this framing, arguing that deliberately circumventing YouTube's anti-scraping protections violates the Digital Millennium Copyright Act (DMCA) and breaches YouTube's terms of service. The exposed source code suggests a targeted, systematic effort to extract training data from specific platforms, not merely passive collection of openly available files. Suno is not alone in this controversy. Udio, a competing AI music platform, has also been accused of scraping YouTube data. The issue also extends beyond music: Google, YouTube's parent company, faces similar copyright infringement allegations from major book publishers over alleged scraping of copyrighted text. The breach and leaked code may materially strengthen the record labels' legal position in ongoing litigation against Suno.

Context & Analysis

Suno's public defense rests on the claim that it trains on 'publicly available music files' and that such use falls under the fair use doctrine. However, the hacked source code appears to document a more deliberate and systematic approach to data acquisition from specific platforms — YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds — that contradicts the company's characterization. Record labels suing Suno have argued that circumventing YouTube's scraping protections violates the Digital Millennium Copyright Act; the leaked code may provide direct evidence of that circumvention. The breach also places Suno in the broader context of copyright disputes facing AI companies. Competitor Udio has faced identical YouTube scraping accusations, and even Google (YouTube's parent) faces copyright claims from book publishers over alleged scraping of copyrighted text. This pattern suggests that the tension between AI training practices and copyright protection is not unique to music but represents a systemic challenge across the industry.

FAQ

What data did the hacker access?
The hacker obtained customer data including customer emails, phone numbers, and partial credit card numbers in Stripe.
When did the breach occur and was the public notified?
The breach occurred in November 2025. Suno did not notify customers at the time, claiming it was a 'limited security incident that was quickly contained.'
Which sources did Suno allegedly scrape for training?
According to the leaked source code, Suno scraped audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds.

Discussion

No discussion yet for this article

Stay ahead with AI news

Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.

Get Started Free

Free · takes 30 seconds · unsubscribe anytime

1 minute a day. The AI essentials.

200+ sources · Email / LINE / Slack

Get it free →