
AI music generator Suno suffered a security breach in November 2025 that exposed internal source code and some customer information, according to a report by 404 Media. The leaked material allegedly showed how the company collected large amounts of audio and lyrics from YouTube Music, Deezer, Genius, stock music libraries and podcast feeds.
The hacker told the publication that they gained access through a supply chain attack that compromised an employee’s credentials. Suno described the breach as a limited security incident that was quickly contained and said it did not notify users because it determined that notification was not legally required.
The company said no full payment card details were exposed. However, the hacker reportedly accessed customer names, email addresses, phone numbers and limited Stripe-related payment information, including partial card numbers.
Leaked Code Allegedly Revealed Training Sources
The exposed source code reportedly contained tools and instructions used to collect audio and lyrics during 2023 and 2024. The material allegedly referenced millions of tracks from YouTube Music, alongside content from Deezer, Genius and commercial stock music services.
Suno has previously acknowledged training its models on publicly available music files found online. The company argues that using copyrighted material for AI training is permitted under the fair use doctrine.
Major record labels dispute that position. The Recording Industry Association of America announced lawsuits against Suno and rival Udio in 2024, accusing the companies of copying protected recordings without permission.
The labels later alleged that Suno obtained recordings by bypassing technical protections on YouTube. They argue that such conduct violates the Digital Millennium Copyright Act independently of the wider question of whether model training qualifies as fair use.
Suno Says Incident Was Contained
Suno told media outlets that the breach involved outdated source code and did not expose sensitive personal information or complete credit card data. Payments are processed through Stripe, rather than being stored directly by Suno.
The company did not publicly disclose the breach when it happened. It has also not released a detailed incident report explaining which systems were accessed, how long the attacker remained inside or how many customers were affected.
The leaked material could add pressure to Suno’s ongoing copyright litigation. It may provide record labels with more information about where the company obtained training material and whether it bypassed restrictions placed on downloads.
Suno maintains that its AI allows users to create original music and that its training practices are legally protected. The breach does not settle that dispute, but the reported source code offers a closer look at the scale and methods behind its data collection.
Featured image credits: Adobe Stock
For more stories like it, click the +Follow button at the top of this page to follow us.
