Hacked source code from AI music company Suno lists YouTube Music, Deezer, and Genius among the platforms it scraped to build its AI models, according to a report from 404 Media on Wednesday (July 15).
The code was obtained by a hacker who breached Suno and shared it with the publication.
The same hacker also accessed information on hundreds of thousands of Suno customers, including emails and/or phone numbers, and Stripe payment details, according to the report.
The hacked data corroborates the labels’ allegation that Suno ripped songs directly from YouTube, according to the report.
Suno has already acknowledged in a court filing that its training data was drawn from music across the open internet.
The company is defending itself against Universal Music Group and Sony Music Entertainment in a copyright infringement lawsuit coordinated by the RIAA, and argues that training on copyrighted works is protected as fair use.
In that filing, Suno said its training data “includes essentially all music files of reasonable quality that are accessible on the open internet, abiding by paywalls, password protections, and the like.”
The hacked code names sources Suno drew on and logs the volume of material it took, according to 404 Media.
Comments in one file said the system would pull from “genius_hq, youtube_music, freesound, jamendo, imp, deezer, ytm_tagged,” and that “non-music will be filtered out,” according to 404 Media.
A file named “youtube_music” recorded that it had ingested “2,013,545 music clips,” the publication reported.
The datasets Suno built included 113,879 hours of material logged as youtube_music, plus a further 152,162 hours logged as ytm_tagged, according to the report.
They also included 62,117 hours from the stock library Pond5, 19,514 hours from the International Music Score Library Project, 17,615 hours from Genius, and 12,287 hours from Deezer, the report said.
In total, the material ran to at least decades of audio, according to 404 Media.
Other code showed Suno searching for a capella versions of songs on YouTube, in what 404 Media said appeared to be an effort to isolate vocals.
The code also indicated that Suno used proxies from a company called Bright Data to scrape songs from YouTube, according to the report.
The code also showed Suno using a service called PodcastIndex to pull together some 420,000 podcasts, each with a minimum of five half-hour episodes, and attempting to download about a million hours of audio.
404 Media said it was unclear from the files exactly how Suno scraped material from the other platforms.
Pond5, a stock library owned by Shutterstock, says it holds 2.5 million music tracks, and Suno‘s data suggested it took a substantial portion of the library, according to the report.
Genius does not host songs directly but lets Apple Music subscribers play tracks and samples through its site.
The YouTube scraping is already part of the record industry’s lawsuit against Suno.
In an amended complaint filed in September 2025, the RIAA accused Suno of “stream ripping” recordings from YouTube and circumventing the platform’s “rolling cipher” encryption, which is designed to block unauthorized downloading.
“Suno obtained those copies in the first instance by unlawfully ‘stream ripping’ them from the popular streaming platform YouTube, and circumventing the technological measures designed specifically to prevent such unauthorized copying,” the RIAA wrote in its lawsuit.
404 Media said the hacked data confirmed the RIAA‘s claim that Suno took songs from YouTube.
The labels argue that circumventing those measures breaches the anti-circumvention provisions of the Copyright Act.
That claim sits apart from Suno‘s fair-use defense, which applies to the copying itself rather than to any bypassing of access controls.
The labels are seeking statutory damages of up to USD $150,000 per work infringed, plus up to $2,500 for each act of circumvention.
In May, UMG and Sony asked the court to expand the case from 560 works to 61,026 that they identified in Suno’s training data through audio fingerprinting – a jump that would lift the theoretical maximum in statutory damages from around $84 million to more than $9 billion. The judge has yet to rule.
In a statement to 404 Media, a Suno spokesperson said: “As we have stated in public filings and disclosures, Suno’s AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet.”
The spokesperson said Suno determined in November 2025 that it had been “the subject of a limited security incident that was quickly contained.”
“As we have stated in public filings and disclosures, Suno’s AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet.”
suno spokesperson (via 404 Media)
“We immediately conducted an investigation and verified that the incident primarily involved outdated source code that is no longer in use at Suno and that no sensitive personal information was compromised,” the spokesperson said.
“Importantly, Suno does not have access to customers’ full credit card numbers in Stripe,” they added.
The spokesperson said Suno had concluded that individual breach notifications “were not warranted under applicable privacy laws,” and that the company had filed a training-data disclosure required under California law.
The hacker, who uses the name ellie.191[,] told 404 Media they got in by hitting a Suno employee with Shai-Hulud, a supply-chain worm that scoops up GitHub and cloud-service logins.
Some of the customers whose records were exposed confirmed to 404 Media that they had not been notified of a breach.
The hacker said they had no specific motivation, telling 404 Media: “I like to hack anything and everything.”
Deezer, one of the platforms named in the code, is a subscription service that has positioned itself as a prominent player in the identification of AI-generated music.
The company says its tool identifies tracks from models such as Suno and Udio with 99.8% accuracy, and that it was the first streaming service to tag AI music at the platform level.
Deezer says it tagged more than 13.4 million AI tracks across 2025 and removed fully AI-generated music from its recommendations.
Suno‘s court filing said its training data was gathered “abiding by paywalls, password protections, and the like.”
Both Deezer and Pond5, named in the hacked code, require payment for access.
Jamendo, the Luxembourg-based licensing platform named in the code, is separately suing Suno. It filed a copyright infringement claim on June 29 in the same Massachusetts court, alleging Suno trained on a roughly 55,600-track dataset, licensed for non-commercial academic use only, without paying for a commercial licence.
Jamendo is seeking at least €17.8 million ($20 million).
Warner Music Group, a former co-plaintiff, exited the case after settling with Suno in November 2025 and entering a licensing partnership that included Suno‘s acquisition of Songkick.
Suno raised more than $400 million in funding in June.
404 Media has previously reported that Nvidia and Runway ML also scraped YouTube to gather training data. The Nvidia article led to a class action lawsuit against the company in 2025.
Meanwhile, the Suno spokesperson said the company builds its models around what it calls “Original Creation, By Design,” and does not use artist names as a category of training metadata.
“We believe artists deserve both new opportunities and strong protections,” the Suno spokesperson said.
Mikey Shulman, Suno‘s CEO and founder, said on a podcast last year that he believes the “majority of people don’t enjoy the majority of the time they spend making music.”Music Business Worldwide
