A hacker reportedly accessed Suno's source code through a supply chain attack, revealing the AI music generator allegedly scraped decades of audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds. According to the hacker, they gained access to employee credentials, enabling them to view the code that allegedly facilitated the data collection. Suno has previously stated it trains its AI on 'publicly available music files' on the open internet, arguing that it can use copyrighted material under the fair use doctrine. However, major record labels claim this practice violates the Digital Millennium Copyright Act (DMCA) and YouTube’s terms of service by deliberately circumventing protections against data scraping. The breach also reportedly exposed customer data, including emails, phone numbers, and partial credit card numbers stored in Stripe. Suno did not notify customers about the November 2025 breach and described it as a 'limited security incident that was quickly contained.'

The incident has drawn attention to broader concerns about data scraping in the AI industry, with Udio, a competitor to Suno, also facing similar accusations. Google, the parent company of YouTube, is also under scrutiny for alleged copyright infringement from major book publishers. The hacker’s findings highlight the risks of using third-party data without proper safeguards, raising questions about the legality and ethics of training AI models on such data.

Source: techcrunch