// AI NEWS · PLATFORM

A Hack of Suno Exposed Source Code That Reportedly Shows How the AI Music Generator Scraped Its Training Data

Leaked code reviewed by reporters lists datasets pulled from YouTube Music, Deezer, Genius, Pond5, and other sources — measured in tens of thousands of hours each — sharpening the copyright fight the record labels are already waging against Suno.

KompozyTurn one idea into a week of content — across every platform, published for you.
Get Started →

2026-07-15 · by Moe Ameen

What happened

On July 15, 2026, 404 Media reported that a hacker had accessed internal Suno source code that appears to detail how the AI music generator assembled the training data behind its models. The intrusion itself traces to a supply-chain attack in November 2025 — attributed to the self-propagating "Shai-Hulud" worm — that harvested an employee's developer and cloud credentials. Alongside the code, the breach exposed customer records including emails, phone numbers, and partial payment details stored in Stripe. Suno has characterized the event as a limited security incident that was quickly contained.

The reporting centers on dataset manifests found in the code. According to the files, Suno ingested audio measured in hours per source: on the order of 113,000+ hours labeled `youtube_music` (a manifest reportedly counting over two million individual clips), plus large blocks from `pond5_music`, `imslp`, `genius_hq`, `deezer`, `jamendo`, `freesound`, and podcast feeds pulled via a public podcast index — roughly a million hours of podcast audio by one tally. Reporters said the code referenced Bright Data, a commercial web-scraping provider, and included routines that searched specifically for acappella versions of songs. Treat the exact figures as reported-not-confirmed: they come from leaked files dated to 2023–2024, and Suno has not published a training-data ledger of its own.

Suno's public position is unchanged by the leak. The company says it trains on "publicly available music files" accessible on the open internet, that this qualifies as fair use, and that the code in the leak is outdated and no longer in use. It also points to what it calls "Original Creation, By Design" safeguards and says it does not use artists' names as training metadata. The record labels suing Suno frame the same conduct differently: the RIAA has alleged Suno used "stream ripping" to pull audio from YouTube, which — if it circumvented YouTube's technical protections — would implicate the Digital Millennium Copyright Act on top of the underlying infringement claims.

The leak lands on top of active litigation. In June 2024 the RIAA filed copyright suits on behalf of Sony Music, UMG, and Warner — against Suno in federal court in Massachusetts and against rival Udio in New York — seeking damages of up to $150,000 per work. Since then the picture has splintered: Warner reached a settlement and licensing arrangement with Suno in late 2025, and Universal settled with Udio, while Universal and Sony have continued to litigate against Suno. A production-music company has also filed an additional AI-training suit against the company. None of the leaked manifests is a court finding, but they hand the plaintiffs exactly the kind of internal detail these cases usually spend years trying to obtain in discovery.

Why it matters for creators

  • Provenance is now a publishing risk, not an abstraction. If a music tool's training data is contested in court, tracks you generated with it can inherit that legal uncertainty — and platforms are increasingly badging or de-monetizing AI music.
  • The fair-use question that governs AI music is unsettled. Suno argues fair use; the labels argue infringement plus DMCA circumvention. Until a court rules, creators are building on legally uncertain ground.
  • Commercial-use creators are the most exposed. Ads, client work, and monetized videos are where a licensing dispute over the underlying track actually bites — a hobby demo carries less risk than a sponsored campaign.
  • It raises the value of clean, licensable inputs. Creators who can prove where their music, footage, and images came from are better positioned as platforms tighten AI disclosure and provenance rules.
  • The tool still makes only the track. The controversy is about the audio; turning a song into a finished, captioned, on-brand video and getting it published everywhere is a separate job the generator doesn't touch.

How to act on this with Kompozy

This story is a provenance wake-up call, and the practical response isn't to panic about one tool — it's to know where every ingredient in your content came from. Kompozy is built around inputs you can actually account for: brand assets and footage you own and upload, licensed Pexels b-roll, gpt-image and Gemini-generated visuals, and a face-locked persona identity that's yours. It doesn't generate music, and it won't pretend the legal cloud over scraped audio is nothing. What it does is let you keep shipping a full content week while you make a deliberate, defensible choice about the soundtrack — a track you're licensed to use, platform-native licensed audio, or a licensed video-to-music tool like Sonilo — instead of hoping an unsettled fair-use argument holds up on a monetized post.

Concretely: if you build faceless music-driven shorts, Kompozy is where the video actually gets made and distributed. It generates Clipped Shorts, Listicle Video, and Naturalistic Video, composites a persona into brand-exact HyperFrames templates, burns in captions, reframes to 9:16, 1:1, and 16:9, and fans one idea into 25–35 outputs across nine social platforms plus blog and email — all held to one voice by the Persona Brief. Swap the music source without rebuilding your pipeline, keep your visuals brand-safe and traceable, and let Autopilot and the per-post review queue handle scheduling and publishing. The Suno leak is a good reminder that the durable asset isn't any single generator — it's a content operation whose inputs you can stand behind.

Quick takeaways

  • 404 Media reported on July 15, 2026 that leaked Suno source code appears to detail how the company scraped its training data.
  • The underlying breach was a November 2025 supply-chain attack that also exposed customer emails, phone numbers, and partial Stripe payment data.
  • Leaked manifests reportedly list audio by source in the tens of thousands of hours each — YouTube Music, Pond5, IMSLP, Genius, Deezer, Jamendo, Freesound — plus ~1M hours of podcast audio; treat figures as reported, not confirmed.
  • Suno says it trains on "publicly available" files under fair use and that the leaked code is outdated; the RIAA alleges infringement plus DMCA "stream ripping" circumvention.
  • The RIAA sued Suno in June 2024; Warner later settled and licensed with Suno, while Universal and Sony keep litigating. The leak arrives amid active cases.
  • Kompozy generates and publishes the video around a track from inputs you own or license — a way to keep shipping while choosing a defensible music source.

Frequently asked questions

What did the Suno hack reveal about its training data?

According to 404 Media's July 15, 2026 report, leaked internal source code contained dataset manifests listing audio Suno ingested by source — large blocks labeled for YouTube Music, Pond5, IMSLP, Genius, Deezer, Jamendo, Freesound, and podcast feeds, measured in tens of thousands of hours each. The files reference a commercial scraping provider and are dated to 2023–2024. The figures are as-reported from leaked files, not a court finding or a Suno-published ledger.

Is it legal to use Suno-generated music commercially?

Suno grants commercial rights on its paid plans and argues its training is fair use. But the underlying legal question — whether training on copyrighted recordings without a license infringes — is being actively litigated by the major labels, and platforms increasingly badge or de-monetize AI music. For monetized or client work, the safest path is music you can prove you're licensed to use; consult the current terms and, for high-stakes campaigns, a lawyer.

How did Suno respond?

Suno says it trains on "publicly available music files" accessible on the open internet, that this qualifies as fair use, and that the code in the leak is outdated and no longer in use. It points to "Original Creation, By Design" safeguards and says it does not use artists' names as training metadata. It has described the breach as a limited incident that was quickly contained.

What does this mean for creators making music-driven videos?

The controversy is about the audio, not the video around it. You can keep producing captioned, on-brand short-form video in a content engine like Kompozy — Clipped Shorts, Listicle Video, Naturalistic Video, persona formats — while choosing a soundtrack you can stand behind: a licensed track, platform-native licensed audio, or a licensed video-to-music tool. That separates your publishing pipeline from any one generator's legal exposure.

Related news

← All AI news · Get started →