Suno breach leaks training data sources: YouTube, Deezer, Pond5

Editorial illustration for: Breach leaks Suno's training data sources, revealing YouTube, Deezer, and Pond5 intake

In brief

  • Hacker breached Suno and obtained source code detailing training data assembly methods
  • Suno's training library contained 113,879 hours of YouTube Music and 152,162 tagged YouTube tracks
  • Leaked code corroborates RIAA's allegation that Suno sourced songs directly from YouTube
  • Suno disputes sensitive customer data compromise, claiming exposed code was outdated

The breach and its scope

404 Media first reported the breach, which reviewed the leaked files. The hacker claimed to have used a piece of malware called the Shai-Hulud worm—named after the enormous sandworms in Frank Herbert's Dune. Suno identified the incident in November 2025 and called it limited.

The company determined the exposure primarily involved outdated source code no longer in use. Suno disputes that sensitive personal information was compromised, though the hacker claimed to have accessed records associated with hundreds of thousands of customers, including emails, phone numbers, and Stripe-related information. Suno concluded that individual customer notifications weren't required under applicable privacy laws.

Training data sources mapped

The leaked files documented exactly where Suno's training library came from. Suno's training library included 113,879 hours of YouTube Music, 152,162 hours of tagged YouTube tracks, 62,117 hours from Pond5, 12,287 hours from Deezer, and 17,615 hours in a dataset labeled genius_hq, associated with material collected through Genius. One internal file tracking YouTube Music ingestion alone logged 2,013,545 music clips.

The code also documented plans to download roughly 1 million hours of podcast audio via RSS feeds. These figures underscore the scale of data ingestion required to train a generative music model.

RIAA lawsuit implications

The hacked source code corroborates the RIAA's central allegation that Suno was ripping songs from YouTube. The RIAA alleged in a 2025 amendment to its original 2024 lawsuit that Suno was drawing music directly from the platform. Suno contested the accusation under a fair use defense. The suit sought $150,000 per infringement incident.

Suno's case with Sony and UMG remains active in federal court. Meanwhile, Udio, targeted in a parallel lawsuit filed by the same major-label coalition, settled with Warner Music in November 2025 and is now transitioning to a licensed platform.

Disclosure obligation

Under California's AB 2013 law, which requires AI companies to disclose their training practices, Suno publicly acknowledged that its training data may include music subject to intellectual property protection. The leaked code now provides the specifics the company had only hinted at.