Suno source code leak details mass song scraping
A data breach at AI music generator Suno has exposed the exact machinery used to scrape millions of copyrighted songs, adding weight to an ongoing record label lawsuit ahead of a pivotal fair-use ruling this summer.
Leaked source code from Suno has confirmed the AI music company built its models by systematically scraping millions of copyrighted songs and podcasts. A hacker using the alias ellie.191 breached the company's systems and handed the internal data to journalists.
The leaked files reveal the massive scale of the operation. One database labelled "youtube_music" contained more than 2 million clips, while other logs detailed tens of thousands of hours of audio pulled from platforms including Deezer, Genius, and Pond5.
To train its models to replicate clean human vocals, the code specifically hunted for a cappella tracks on YouTube. Suno bypassed the platform's anti-scraping defences by routing its operation through Bright Data, a proxy service. The company also scraped 420,000 podcasts to capture roughly a million hours of speech.
While Suno has previously admitted in court to training on "essentially all music files of reasonable quality" on the open web, the leak exposes the exact technical infrastructure behind that claim. The Recording Industry Association of America (RIAA) is currently suing Suno, accusing it of "stream ripping" decades of popular recordings to dodge copyright protections.
The market stakes
The disclosure carries significant implications as the music industry fractures over how to handle generative AI. Some labels have already abandoned litigation in favour of striking licensing deals with AI startups. However, Sony remains in court, and a pivotal ruling on the fair-use defence is expected this summer.
That judicial decision will likely determine whether AI companies must pay for training data or can continue absorbing copyrighted works for free. Artists, meanwhile, argue that the new licensing deals do little to compensate them for the use of their work.
Suno has dismissed the November 2025 breach as a "limited" and "quickly contained" incident, claiming the exposed code was outdated. The company defended its training practices as "fair use" and "original creation," noting it strips artist names from data to prevent direct copying.
The hacker disputed Suno's downplaying of the incident, claiming to have used a worm called Shai-Hulud to steal an employee's credentials. The breach ultimately exposed customer emails, phone numbers, and Stripe payment records. Suno chose not to notify affected users, a decision that has drawn complaints from those whose data was compromised.
The underlying tension is philosophical as much as financial. Suno chief executive Mikey Shulman once said most people "don’t enjoy the majority of the time they spend making music." The individuals whose copyrighted recordings were systematically scraped to build his product might disagree.