Suno, the AI music generation tool, has been hacked – and the source code that was accessed reveals in precise detail how the company built its AI models on tens of thousands of hours of music scraped from YouTube Music, Deezer, Genius, stock music libraries and podcast RSS feeds without the permission of rights holders.
The breach actually happened in November 2025. Suno knew about it at the time, contained it, and said nothing publicly. The story only emerged yesterday when the hacker – who goes by the name ellie.191 – shared the breached source code with journalist Jason Koebler at 404 Media, who broke the story.
The hacker says they got in by exploiting a supply chain vulnerability, used something called the Shai-Hulud worm to obtain an employee’s credentials, and then accessed the company’s internal source code. Asked why they targeted Suno, they said simply: “I like to hack anything and everything.”
The scale of what the source code reveals is striking. One file logged 2,013,545 music clips from YouTube Music alone. Comments in the code describe the scope of Suno’s datasets in hours:
113,879 hours of YouTube Music audio, 152,162 hours of “ytm_tagged” content, 17,615 hours from Genius, 12,287 hours from Deezer, 19,514 hours from IMSLP (the International Music Score Library Project), 3,726 hours from Jamendo, 410 hours from Freesound, and 103 hours from MuseScore lyrics.
♡ Nialler9 is independent and reader-supported. Support us on Patreon →
The code is specific about what it was looking for – including, notably, hunting for a cappella versions of songs on YouTube in order to capture clean vocal recordings.
None of this was done with the permission of YouTube, Deezer or the artists whose work was captured. Scraping data from YouTube in this way circumvents the platform’s technical protections against it, which the record labels suing Suno argue is a violation of the Digital Millennium Copyright Act (DMCA) – separate from the copyright infringement claims themselves.
Suno has long acknowledged that it trains on “publicly available music files on the open internet” and has argued that doing so falls under the fair use doctrine. What it had never disclosed before was where exactly that training data came from, or how much of it there was. The hack answers both questions comprehensively.
The company is currently being sued by Sony Music Entertainment and Universal Music Group for copyright infringement. Warner Records was also a plaintiff but dropped out to sign an official partnership with Suno. Producer Kenny Beats (Kenneth Blume) reacted to the news by pointing out that his own work appeared in the training data: “To everyone who thought my music sounded like AI slop, did you ever think it was because Suno was using a dataset that contained 22 of my songs?”
The hacker also says they accessed customer information for hundreds of thousands of Suno users – including email addresses, phone numbers and Stripe payment records. Suno disputes this characterisation. In a statement, a spokesperson said the breach was “quickly contained” after the company learned about it in November, that the exposed source code was “outdated and no longer in use,” and that “no sensitive personal information was compromised” since Suno does not hold customers’ full credit card numbers.
The company did not notify its users of the breach. Some of those users, who were unaware their data had been accessed, told 404 Media they were unhappy to hear about it now.
The hack is, as multiple outlets have noted, a rare window into something the AI music industry has kept deliberately opaque: exactly how these models are built, and whose work they are built on. It strengthens the recent claims in the Atlantic about how AI models are trained.
Suno’s competitor Udio has also been accused of training on scraped YouTube data. Suno’s official position remains that its models are designed for “original creation” rather than replication – it says it leaves artist names out of its training metadata and has built filters to prevent users prompting it to replicate existing artists or songs. Whether that argument holds up in court is still to be determined, but this week’s revelations make the record labels’ case considerably harder to dismiss.
The original 404 Media report by Jason Koebler is worth reading in full.

Niall Byrne is the founder of the most-influential Irish music site Nialler9, where he has been writing about music since 2005. He is the co-host of the Nialler9 Podcast and has written for the Irish Times, Irish Independent, Sunday Times, Totally Dublin, Cara Magazine, Red Bull and more. Niall is a DJ, co-founder of Lumo Club, event curator, Indie Sleaze club promoter, and producer of gigs and monthly listening parties & events in Dublin.