A recent security breach at AI music startup Suno has intensified scrutiny over how generative AI models are trained, after leaked internal materials reportedly suggested the company scraped millions of audio files and lyrics from platforms including YouTube Music, Deezer and Genius to build its models.
The information emerged after a hacker claimed to have gained access to Suno's internal systems through a supply chain attack in November 2025, obtaining employee credentials that allegedly exposed source code, training datasets and internal documentation. The leaked material, first reported by 404 Media and subsequently reviewed by multiple technology publications, offers one of the clearest glimpses yet into the data collection practices behind a major AI music platform.
According to the leaked documents, Suno's source code contained references to automated scraping pipelines targeting YouTube Music, Deezer, Genius, stock music libraries and podcast RSS feeds. One internal file reportedly indicated that more than two million YouTube Music clips had been ingested, while dataset records listed hundreds of thousands of hours of audio collected from multiple online sources.
The revelations arrive as Suno is already facing legal action from major record labels over allegations that it trained its AI models using copyrighted music without authorization. The Recording Industry Association of America (RIAA) has argued in court filings that Suno unlawfully bypassed YouTube's technical protections through a practice known as stream ripping, potentially violating both the Digital Millennium Copyright Act and YouTube's terms of service. Suno has maintained that training AI models on publicly available content falls within the scope of fair use, a legal argument that remains under judicial review.
The reported breach has also raised concerns about cybersecurity. The hacker claimed to have accessed customer information including email addresses, phone numbers and partial Stripe payment details. Suno said the incident was a limited security event that was quickly contained and primarily involved outdated source code. The company stated that no sensitive payment information or full credit card data was compromised and said it did not notify customers because it determined the incident did not trigger applicable notification requirements.
The leaked files have renewed debate around transparency in AI training datasets. While Suno had previously acknowledged in court that it trained its models using publicly accessible music files from across the internet, the newly surfaced material appears to identify specific platforms and internal collection methods that had not been publicly disclosed.
The incident also underscores broader challenges facing the generative AI industry. As AI developers race to build increasingly capable foundation models, questions around copyright, licensing and data provenance have become central to ongoing legal disputes involving technology companies, publishers, artists and content creators.
Several AI firms across text, image, video and music generation are currently defending lawsuits over alleged unauthorized use of copyrighted works for model training. The Suno disclosures are likely to become another reference point in these cases as courts continue to examine how existing copyright laws apply to generative AI systems.
For enterprises adopting generative AI, the developments highlight the growing importance of governance, transparency and responsible AI practices. As regulators and rights holders increase scrutiny of model development, companies may face greater pressure to disclose training data sources, strengthen security controls and establish clearer licensing frameworks for AI development.