Suno hack reveals alleged music scraping and stolen data
A supply chain attack on AI music generator Suno has exposed alleged mass copyright infringement and compromised customer payment details, highlighting the legal and security risks surrounding generative AI startups.
AI music generator Suno suffered a cyberattack in November 2025 that compromised customer data and exposed sensitive internal source code. A hacker reportedly used a supply chain attack to obtain an employee’s credentials, granting deep access to the company's systems.
The breach resulted in the exposure of sensitive user information, including customer emails, phone numbers, and partial credit card numbers processed through Stripe. Despite the severity of the compromised financial data, Suno did not notify its customers about the intrusion. The company has instead dismissed the event as a "limited security incident that was quickly contained."
However, the accessed source code may pose a far greater threat to Suno's business than the immediate data breach. The hacker told 404 Media that the code reveals how Suno allegedly scraped decades of audio from YouTube Music, Deezer, Genius, various stock music libraries, and podcast RSS feeds to train its models.
These findings directly challenge Suno's stated legal position. The company previously admitted to training its AI on “publicly available music files” found on the open internet, relying on the fair use doctrine as a legal defense. Major record labels currently suing Suno argue that this practice is fundamentally illegal. They contend that deliberately circumventing YouTube's anti-scraping protections violates the Digital Millennium Copyright Act, as well as YouTube’s terms of service.
For the broader technology sector, the hack highlights the fragile legal foundations upon which many generative AI businesses are built. Suno is not an isolated case. Udio, a direct competitor, has also been accused of scraping YouTube data to train its models. Furthermore, Google, the parent company of YouTube, is currently facing its own copyright infringement allegations from a variety of major book publishers.
For European investors and rights holders monitoring the AI industry, the Suno incident serves as a stark warning. It illustrates that high-growth AI startups are simultaneously carrying significant hidden liabilities in data privacy and intellectual property law. As regulatory scrutiny intensifies across Europe, the unresolved tension between AI data requirements and copyright protections continues to threaten the long-term viability of these business models.