
Suno, the AI music generation app, has confirmed it was hacked. According to Engadget, the breach gave a hacker access to internal source code that reportedly details how the company scraped millions of songs to train its AI models, along with data on hundreds of thousands of customers.
The company says the incident happened in November 2025 and was quickly contained. In a statement, Suno said the breach “primarily involved outdated source code that is no longer in use” and that “no sensitive personal information was compromised.” It also clarified that it does not store customers’ full credit card numbers.
But the timing is awkward. Suno is already facing a copyright infringement lawsuit from major record labels in the US, and it admitted in a 2024 court filing that its systems scraped “tens of millions of recordings” from the internet for training data. The company argues that approach counts as fair use under copyright law. Warner Music Group dropped out of the lawsuit late last year after reaching a licensing deal with Suno, but the broader legal fight continues.
The hacker told 404 Media they targeted a Suno employee with a worm that handed over credentials for the company’s GitHub and cloud services. What they reportedly found inside paints a detailed picture of Suno’s data collection operation. According to the report, the scraped sources included:
- YouTube Music
- Deezer
- Genius
- Stock music libraries
- Hundreds of thousands of podcasts via RSS feeds
The hacker also claimed Suno used proxy services to pull audio from YouTube, including acapella versions of songs, which would be particularly relevant to training a model on vocal characteristics.
The customer data the hacker obtained reportedly includes email addresses and phone numbers for hundreds of thousands of Suno users. Despite this, Suno said it decided individual breach notifications were not required under applicable privacy laws, given what it described as the limited nature of the information involved.
This breach matters beyond Suno itself. The AI music industry has been fighting on multiple legal fronts over training data, and internal documents that detail exactly where and how companies pulled copyrighted audio could have significant implications for ongoing and future lawsuits. Last month, The Atlantic reported on datasets containing millions of songs being used for AI training across the industry, and Suno is far from the only company under scrutiny.
Suno noted in its statement that it has systems in place to prevent users from replicating specific artists’ existing music. Whether that holds up legally is another question entirely, and this breach may give plaintiffs more to work with.