Security

Suno hack reveals scraping of YouTube and Deezer

3 min read
Laptop screen with source code and music waveforms next to a broken padlock symbol on a desk. Image generated with GPT Image 2
Laptop screen with source code and music waveforms next to a broken padlock symbol on a desk.

TL;DR Too Long; Didn’t read

A hacker attack in mid-July 2026 exposed internal source code from Suno that documents the data acquisition of the AI music service. According to 404 Media, the files evidence the scraping of more than two million YouTube Music clips as well as content from Deezer, Genius, and other platforms. Additionally, contact details and payment information of customers were accessible. The case is likely to further burden the ongoing copyright lawsuits against Suno.

Key takeaways

  • The leaked source code dates back to 2023 and 2024 and documents Suno's data acquisition in detail.
  • According to the files, more than two million clips with around 113,000 hours were recorded solely from YouTube Music.
  • Deezer, Genius, Pond5, and the sheet music archive IMSLP also appear in the scraping lists.
  • Contact details and parts of payment information of several hundred thousand customers were also affected.
  • Access dates back to November 2025, and apparently no one was specifically informed at that time.
  • Universal Music Group and Sony Music have since expanded their lawsuit to over 61,000 songs.

A data leak has exposed internal source codes of the AI music service Suno, documenting its training data acquisition. According to the files, more than two million clips from YouTube Music as well as content from Deezer, Genius, and other providers were extracted, as reported by 404 Media. Personal data of customers was also affected.

Source code shows systematic scraping of multiple platforms

The code published by 404 Media dates back to 2023 and 2024 and contains detailed instructions for data collection. Internal comments list platform tags such as “youtube_music”, “deezer”, “genius_hq”, and “jamendo”, along with the note that non-music content would be automatically filtered out. According to this, Suno captured more than two million clips from YouTube Music alone, with a total length of around 113,000 hours. Additionally, there are 12,287 hours from Deezer, more than 17,000 hours from Genius, and over 62,000 hours from the stock platform Pond5. The sheet music archive IMSLP and the lyrics service MuseScore also appear in the lists. These numbers come from the hacked code and are independently unverified.

According to TechCrunch, the attacker gained access to an employee’s credentials through malware called “Shai-Hulud” and thus to the source code. The code also indicates an attempt to collect around 420,000 podcasts via RSS feeds. The files contradict earlier statements from the company that paid and protected content was excluded from data collection.

Suno confirms security incident involving customer data

Suno confirmed to TechCrunch a security incident: it was a limited, quickly contained event. After the breach, contact details of several hundred thousand customers were reportedly accessible, including email addresses, phone numbers, and parts of stored payment data from the billing system Stripe.

Access to the systems dates back to November 2025. Customers were not specifically informed about the incident at that time. Only the publication of the source code by 404 Media in mid-July 2026 made the extent public. This raises additional questions about the company’s information policy, regardless of the actual scraping practice.

The malware responsible for the breach, Shai-Hulud, typically spreads through compromised npm packages and has already affected several technology companies in recent months. Suno did not disclose how many of the affected customers are from Europe. The company has also not provided further details on the exact number of data records accessed and the current status of internal investigations.

Suno has been facing lawsuits since 2024 for alleged copyright infringements. Universal Music Group and Sony Music are jointly suing and initially accused the company of training on 560 protected works. The lawsuit has since been expanded to include more than 61,000 additional songs. Suno defends itself by referencing the Fair Use doctrine applicable in the USA for training models.

Warner Music Group reached an agreement with Suno in November 2025 and instead entered into a licensing agreement. The music label Jamendo filed its own lawsuit at the end of June, demanding around 17.8 million euros in damages. The now-revealed source code documents in detail which platforms were specifically affected and could serve as additional evidence in the ongoing proceedings.

It will be crucial whether the courts allow the hacked code as evidence and how Suno explains the discrepancy between its own statements and the internal documents. It also remains to be seen whether competing AI music services like Udio will come under increased scrutiny after similar allegations have already been made against them.

Frequently asked questions

Were customers of Suno informed about the data leak?

Suno has confirmed the security incident to the media, but targeted notification of all affected individuals is not publicly known so far.

What legal consequences does Suno face due to the leak?

The source code could serve as additional evidence in the ongoing lawsuits from Universal Music Group, Sony Music, and Jamendo, but court approval is still pending.

What is the malware Shai-Hulud?

Shai-Hulud is a malware that spreads through compromised npm packages and has affected several technology companies in recent months.

Has Suno commented on the scraping allegations?

Suno continues to assert that protected and paid content should be excluded from data collection, but the leaked code contradicts this.

Is Suno the only AI music service facing such allegations?

No, the competitor Udio is also facing similar allegations of unauthorized training with copyrighted material.


← Back to the blog