A data leak has exposed internal source codes of the AI music service Suno, documenting its training data acquisition. According to the files, more than two million clips from YouTube Music as well as content from Deezer, Genius, and other providers were extracted, as reported by 404 Media. Personal data of customers was also affected.
Source code shows systematic scraping of multiple platforms
The code published by 404 Media dates back to 2023 and 2024 and contains detailed instructions for data collection. Internal comments list platform tags such as “youtube_music”, “deezer”, “genius_hq”, and “jamendo”, along with the note that non-music content would be automatically filtered out. According to this, Suno captured more than two million clips from YouTube Music alone, with a total length of around 113,000 hours. Additionally, there are 12,287 hours from Deezer, more than 17,000 hours from Genius, and over 62,000 hours from the stock platform Pond5. The sheet music archive IMSLP and the lyrics service MuseScore also appear in the lists. These numbers come from the hacked code and are independently unverified.
According to TechCrunch, the attacker gained access to an employee’s credentials through malware called “Shai-Hulud” and thus to the source code. The code also indicates an attempt to collect around 420,000 podcasts via RSS feeds. The files contradict earlier statements from the company that paid and protected content was excluded from data collection.
Suno confirms security incident involving customer data
Suno confirmed to TechCrunch a security incident: it was a limited, quickly contained event. After the breach, contact details of several hundred thousand customers were reportedly accessible, including email addresses, phone numbers, and parts of stored payment data from the billing system Stripe.
Access to the systems dates back to November 2025. Customers were not specifically informed about the incident at that time. Only the publication of the source code by 404 Media in mid-July 2026 made the extent public. This raises additional questions about the company’s information policy, regardless of the actual scraping practice.
The malware responsible for the breach, Shai-Hulud, typically spreads through compromised npm packages and has already affected several technology companies in recent months. Suno did not disclose how many of the affected customers are from Europe. The company has also not provided further details on the exact number of data records accessed and the current status of internal investigations.
Revealed code fuels Suno copyright lawsuits
Suno has been facing lawsuits since 2024 for alleged copyright infringements. Universal Music Group and Sony Music are jointly suing and initially accused the company of training on 560 protected works. The lawsuit has since been expanded to include more than 61,000 additional songs. Suno defends itself by referencing the Fair Use doctrine applicable in the USA for training models.
Warner Music Group reached an agreement with Suno in November 2025 and instead entered into a licensing agreement. The music label Jamendo filed its own lawsuit at the end of June, demanding around 17.8 million euros in damages. The now-revealed source code documents in detail which platforms were specifically affected and could serve as additional evidence in the ongoing proceedings.
It will be crucial whether the courts allow the hacked code as evidence and how Suno explains the discrepancy between its own statements and the internal documents. It also remains to be seen whether competing AI music services like Udio will come under increased scrutiny after similar allegations have already been made against them.


