Published July 16, 2026
The debate surrounding artificial intelligence and music has entered a volatile new phase.
A major security breach involving Suno has exposed internal files that reportedly reveal how the AI music company assembled large portions of the training data used to develop its song generation models.
According to an investigation published by 404 Media, a hacker gained access to Suno’s systems in November 2025 and obtained source code, scraping instructions and information connected to the company’s training libraries. The breach was contained at the time but only became public on July 15, 2026.
The leaked material reportedly indicates that Suno downloaded millions of music clips, lyrics and related metadata from services including YouTube Music, Deezer and Genius. Other sources named in the files include Pond5, Jamendo, Freesound, MuseScore and the International Music Score Library Project.
For artists and rights holders, the scale of the operation is the most alarming part of the revelation.
More Than Two Million YouTube Music Clips
One internal file reviewed by 404 Media reportedly states that Suno had ingested 2,013,545 clips from YouTube Music at the time the document was last updated.
Additional dataset records describe enormous quantities of collected material, including:
- 113,879 hours from a YouTube Music dataset
- 152,162 hours from another tagged YouTube dataset
- 17,615 hours associated with Genius
- 12,287 hours from Deezer
- 62,117 hours from Pond5
- 19,514 hours from IMSLP
- 3,726 hours from Jamendo
- 410 hours from Freesound
The files do not necessarily represent Suno’s complete training library, but they provide one of the clearest glimpses yet into the immense volume of audio gathered during the development of its technology.
Other leaked instructions reportedly show that Suno attempted to collect approximately one million hours of podcasts through PodcastIndex.
Leaked Code Appears to Show How the Music Was Collected
The revelations extend beyond a list of websites and datasets.
Source code dating from 2023 and 2024 reportedly contains instructions for extracting audio from online platforms. Some files suggest that Suno used Bright Data, a commercial web data collection service, to obtain music from YouTube.
The code also appears to include searches for a cappella versions of existing songs. Such recordings can provide isolated or largely separated vocal performances, making them particularly valuable when training systems designed to generate artificial singing voices.
This detail could attract significant attention from vocalists, publishers and record labels because it suggests that the data collection process may have targeted specific musical components rather than simply gathering complete tracks at random.
The Leak Could Strengthen Existing Copyright Claims
The timing could hardly be more sensitive for Suno.
The company is already involved in a major copyright dispute with Universal Music Group and Sony Music Entertainment. The labels accuse Suno of copying protected recordings without authorization to build commercial AI models capable of generating competing musical content.
Suno has not denied that copyrighted recordings were included in its training data.
In a 2024 court filing, the company acknowledged that its models had been trained on tens of millions of recordings and on essentially all music files of reasonable quality that could be accessed on the open internet.
Its legal argument is that using publicly accessible material to train an artificial intelligence model should qualify as fair use under United States copyright law.
That position remains contested. No final court ruling has established that Suno’s specific training practices are legally protected by fair use.
The leaked code may prove particularly significant because the Recording Industry Association of America has accused Suno of circumventing YouTube’s technical protections through stream ripping. The newly exposed material reportedly supports the claim that audio was extracted directly from YouTube and YouTube Music.
Suno Says the Exposed Code Was Outdated
Suno confirmed that it experienced a security incident in November 2025 but described the breach as limited.
A company spokesperson said the incident primarily involved outdated source code that is no longer used by Suno. The company also maintained that no sensitive personal information was compromised.
Suno reiterated that its AI models were trained using music files and related metadata publicly accessible through third-party websites on the open internet.
That statement addresses the availability of the source material, but it does not resolve the central legal question. Content being publicly accessible does not automatically mean that it can be copied, downloaded and used commercially without authorization.
Customer Information Was Also Accessed
The breach was not limited to training data and development files.
The hacker reportedly accessed information associated with hundreds of thousands of Suno users, including email addresses, telephone numbers and certain Stripe payment details.
Suno said it does not have access to customers’ complete credit card numbers and determined that individual notifications were not required under the privacy laws applicable to the incident.
Some users contacted during the investigation reportedly confirmed that they had not received a direct notification from Suno about the breach.
A Rare Look Inside the AI Music Industry
Generative AI companies have traditionally revealed very little about the exact recordings used to train their models.
Developers frequently argue that detailed disclosure could expose confidential technology or allow competitors to reproduce their methods. Artists and rights holders argue that secrecy prevents creators from discovering whether their work has been copied or used without consent.
The Suno leak changes that balance by offering an unusually detailed look at the sources, scale and technical processes allegedly used to assemble an AI music training library.
It also raises questions for platforms such as YouTube, Deezer, Genius, Jamendo and Pond5. Their content may have been publicly available to stream or browse, but their terms of service do not necessarily authorize automated extraction for commercial AI development.
Why This Matters for Musicians
For musicians, this is not simply another technology industry data breach.
The leaked files suggest that enormous collections of human performances, compositions, lyrics and recordings may have been transformed into raw material for a system capable of producing unlimited new music within seconds.
Many of the artists whose work may have entered those datasets were reportedly neither asked for permission nor offered compensation.
That is the fundamental conflict now facing the music business. AI companies argue that model training is a transformative technological process. Creators argue that the process begins with the unauthorized copying of the work that made the technology possible.
The courts will ultimately determine how copyright law applies to these practices. Until then, the Suno leak will intensify demands for transparency, licensing, consent and compensation across the generative music industry.
The Music Industry Now Has a New Piece of Evidence
The leaked material does not, by itself, establish that Suno has committed copyright infringement. That decision belongs to the courts, and the authenticity and legal admissibility of the files may still face scrutiny.
However, the revelations provide far more detail than Suno had previously made public about the construction of its training datasets.
For an industry already struggling with artificial artists, cloned voices and millions of machine-generated tracks, the disclosure represents another decisive moment.
The central question is no longer whether generative music systems were trained on copyrighted recordings.
It is how much music was taken, where it came from, how it was obtained and whether the artists who created it will ever be given a meaningful choice.



