A recent security breach at Suno, the company behind the popular AI music generation tool, has provided a granular look at the data used to train its models. According to a report from 404 Media, a hack of the company’s database revealed extensive references to copyrighted music scraped from platforms including YouTube Music, Deezer, and Genius.
Quick Facts
- Over two million music clips were reportedly scraped from YouTube Music.
- Dataset files cite 113,879 hours of YouTube Music, 17,615 hours of Genius, and 12,287 hours of Deezer.
- Suno allegedly utilized third-party proxies and PodcastIndex to identify and scrape hundreds of thousands of podcast files.
- The company confirmed a limited security incident in November 2025, claiming it involved only outdated source code.
The Scale of Ingestion
The leaked files suggest that Suno has ingested at least a decade’s worth of music. Beyond major streaming platforms, the data indicates that Suno used the open tool PodcastIndex to locate and scrape vast quantities of podcast media. This confirms long-standing industry suspicions regarding the origins of the training data that powers the platform's generative capabilities.
Suno has maintained that its actions fall under fair use protections. In a statement to 404 Media, a spokesperson reiterated that their models are trained on "publicly available music files and related metadata accessible on third-party websites on the open internet." They further argued that the tool's outputs are "significantly different" from the original source material and noted that the company has implemented safeguards to prevent impersonation.
Industry and Legal Context
The music industry remains deeply skeptical of these claims. Catherine Anne Davies, a musician and board member of the Featured Artists Coalition, expressed strong opposition to the practice, stating that most artists do not want their work used for AI training. While she acknowledged the potential for AI to assist in creative workflows, she characterized generative AI for creative output as a "big no-no."
Suno’s legal defense relies on a developing body of US case law. While a judge ruled in favor of Anthropic and Meta in separate cases last year, confirming that the use of copyrighted content for AI training can fall under fair use, those rulings did not explicitly resolve all claims regarding the use of pirated material or the specific scraping methods employed by generative AI firms.
Regarding the security incident itself, Suno stated that the breach was "quickly contained" in November 2025. The company claims the investigation verified that "no sensitive personal information was compromised" and that the exposed data was limited to outdated source code no longer utilized by their current models.

