Suno AI music was trained on over 2 million songs scraped from YouTube.
For years, musicians have claimed that AI song generators utilized their work without permission. Recently, a hacker revealed the inner workings of these systems, exposing the details.
Leaked source code from Suno, one of the largest AI music tools, sheds light on the situation. It developed its model by gathering millions of songs and lyrics from the internet. The data was obtained by 404 Media from a hacker who infiltrated the company.
The trove of information is vast. One file labeled “youtube_music” recorded over 2 million clips. Other files contain tens of thousands of hours sourced from Deezer, Genius, and the stock library Pond5. Altogether, this amounts to decades of music recordings.
Extracting the vocals
The code specifies its targets. To obtain clean vocal tracks, it sought a cappella versions of songs on YouTube. To navigate YouTube’s restrictions, Suno used a proxy service called Bright Data for its scraping. Additionally, it scoured 420,000 podcasts, gathering about a million hours of spoken content.
The latest developments from the EU tech industry, a tale from our seasoned founder Boris, and some dubious AI art. It’s free, delivered to your inbox weekly. Subscribe now! None of this information is completely new. In court, Suno has already acknowledged using “basically all quality music files” available on the open web for training. However, the leak exposes the processes behind that admission.
Record labels have long made similar allegations. When suing Suno, the RIAA claimed the company duplicated “decades worth of the world’s most popular sound recordings,” accomplishing this through “stream ripping” from YouTube, avoiding the platform’s copyright protections.
‘Fair use,’ claims Suno
Suno’s defense, like that of many AI companies, hinges on fair use. The organization asserts it trains on “publicly available music files” and creates models for “original creation.” It even omits artist names from its training data to prevent imitation.
Regarding the breach, the company downplayed the situation. It described the November 2025 incident as “limited” and “quickly contained,” claimed the exposed code was outdated, and insisted no sensitive data was compromised. It noted that it does not store full payment card numbers and decided not to inform users at all.
The hacker, known as ellie.191, presents a different account. They reported gaining access via the Shai-Hulud worm, acquiring an employee’s credentials, and obtaining customer emails, phone numbers, and Stripe records. Some users reported to 404 Media that Suno never notified them. The hacker’s motive? “I enjoy hacking anything and everything.”
The larger conflict
The timing is significant. Some labels have reached agreements, signing licensing deals with AI companies rather than engaging in legal battles. Sony remains in litigation, with an important fair-use decision anticipated this summer.
Meanwhile, artists continue to express dissatisfaction with the agreements, asserting that they benefit little. Suno’s CEO, Mikey Shulman, previously remarked that most people “don’t enjoy the majority of the time they spend making music.” Those whose music contributed to training his model might have a different perspective.
Other articles
Suno AI music was trained on over 2 million songs scraped from YouTube.
A breach of Suno AI music revealed its source code, indicating that it harvested millions of tracks from YouTube, Deezer, and Genius to develop its song generator.
