Hacker Leaks Suno Source Code Exposing Massive Scraping of 2 Million YouTube Music Tracks and Customer Data Breach
A hacker operating under the pseudonym ellie.191 has leaked the internal source code of Suno, one of the largest AI-powered music generation platforms, to the investigative outlet 404 Media. The disclosure reveals how the company systematically scraped millions of copyrighted tracks and podcasts to train its generative models.
The leaked materials, believed to originate from 2023 and 2024, contain detailed instructions for downloading content and precise records of dataset sizes. According to the code, Suno obtained more than 2 million music fragments from YouTube Music alone. Additional sources listed in the files include Pond5, Jamendo, Freesound, the International Music Score Library Project, and MuseScore.
One dataset comprised over 152,000 hours of labeled audio from YouTube Music, while another collection from the same platform added 114,000 hours. Approximately 62,000 hours came from Pond5 and more than 12,000 hours from Deezer. Separate scripts were designed to locate karaoke-style versions of songs on YouTube to extract isolated vocals.
To facilitate large-scale downloads, Suno relied on proxy infrastructure provided by Bright Data. Another tool identified 420,000 podcasts and prepared nearly 1 million hours of recordings for ingestion.
The publication corroborates allegations previously made by the Recording Industry Association of America, which accused Suno of bypassing YouTube’s technical protections to copy protected works. Although Suno has publicly stated it trained on tens of millions of publicly available recordings under a fair-use rationale, rights holders continue to challenge this position in court.
In addition to the training data, the hacker claims to have obtained records belonging to hundreds of thousands of Suno customers, including email addresses, phone numbers, and partial payment information processed through Stripe. Several affected users have already verified to 404 Media that the exposed phone numbers match their accounts and that they never received breach notifications.
Suno responded that it detected a limited intrusion in November 2025 and quickly contained it. The company maintains that only outdated source code was accessed and denies that any sensitive personal or full payment card data was exposed. The hacker stated that access was achieved through an employee account infected by the Shai-Hulud worm, which harvested GitHub and cloud-service credentials, and that the operation was conducted out of general curiosity rather than targeted malice.