Article is online

Leaked Files Show Suno Fed Its AI with Hundreds of Thousands of Hours of Deezer, YouTube, Pond5 and Podcast Audio

Leaked Files Show Suno Fed Its AI with Hundreds of Thousands of Hours of Deezer, YouTube, Pond5 and Podcast Audio

Table of Contents




You might want to know


Did a hacker really extract precise logs showing which commercial and streaming services supplied Suno’s training data?


How large and varied was the audio collection reportedly used to train one of the largest AI music generators?



Main Topic


In mid-2026 a security incident exposed internal materials from Suno, a prominent AI music generator, shedding unprecedented light on the company’s data-collection and model-training practices. The leaked artifacts—examined by independent reporters—include scraping scripts, internal logs from 2023 and 2024, and commented source code that itemizes the origins and scale of audio assets used to build the platform’s models. Those materials present a far more detailed and concrete picture than the broader public disclosures Suno had previously made under regulatory pressure.



The leaked code lists large, source-specific hour counts and file tallies. Among the items cited are 113,879 hours attributed to YouTube Music ingestion and over 2,013,545 discrete YouTube Music clips logged in a single ingestion tracking file. Other named sources include 62,117 hours from stock music library Pond5 and 12,287 hours from Deezer. An internal dataset labeled genius_hq reportedly comprised 17,615 hours associated with material sourced through the Genius platform for lyric or metadata alignment. The code further documents plans to collect roughly 1 million hours of podcast audio via RSS feeds. Together, these collections represent millions of recordings spanning multiple decades, genres, and use cases.



Beyond enumerating audio sources, the leaked materials suggest that Suno’s engineers maintained pipelines to scrape and process large volumes of publicly accessible audio. The files include both automated scraping instructions and logs that reveal how ingestion processes were orchestrated, filtered, and annotated. That level of operational detail is unusual in the public record: companies often describe datasets in aggregate but typically do not publish the scripts and internal comments that demonstrate exactly how and from where files were collected.



The leak also contains claims by the intruder that they accessed customer-related records—emails, phone numbers, and Stripe payment data—covering what the hacker described as hundreds of thousands of users. Suno has publicly disputed that sensitive personal information was compromised. In its account, the company stated the incident was identified in November 2025 and characterized the exposure as "limited," largely involving legacy source code no longer used in production. Suno said it believed the nature of the files did not trigger mandatory individual notifications under applicable privacy laws, an assessment that only became widely known after media reporting brought the matter to light.



Regulatory context is important to understanding why the leak became news beyond the security angle. Under California’s AB 2013 disclosure requirements for some AI training practices, Suno had previously acknowledged that its models may have been trained on music that is "subject to intellectual property protection," and it estimated a training corpus spanning tens of millions of publicly available music audio files. That filing was intentionally broad. What the leaked source code contributes is precise attribution: it names platforms, quantifies hours and clip counts, and shows internal intent to expand the corpus even further.



The disclosure also aligned with existing legal disputes. In 2024 and 2025, major recording-industry entities filed lawsuits alleging that AI music companies—including Suno—copied copyrighted tracks directly from streaming sources such as YouTube. Those suits sought substantial damages per claimed infringement. The leaked code has been read by industry lawyers and reporters as corroborative evidence supporting the recording industry’s assertions that unlicensed ingestion of copyrighted material occurred at scale. Parallel litigation has yielded a range of outcomes: some companies settled and moved toward licensing models; others continue to litigate.



From a technical and ethical perspective, the leak amplifies several recurring debates about AI training data: whether scraping publicly accessible content constitutes lawful training material, how to attribute and compensate original creators, and how transparent companies must be about datasets used to create commercial models. The leaked files do not by themselves establish legal liability—that determination ultimately rests with courts and regulators—but they materially change the terms of public discussion by moving from generalities to specific, timestamped operational records.



For artists, rights holders, and platforms, the revelations raise practical questions. How can music creators determine whether their works were included in a training corpus? What recourse is available if they find their work used without permission? The leak also prompts platforms to reexamine how they protect content from large-scale automated scraping and whether contractual or technical measures are adequate. For users of AI music services, the episode highlights trade-offs between convenience and the provenance of the audio models deliver: a quickly generated song may depend on detailed training signals drawn from a mosaic of licensed and unlicensed sources.



Finally, the incident shows how security breaches can accelerate transparency, for better or worse. The materials exposed by the intruder revealed operational evidence that many stakeholders had suspected, and that regulators had started to address through disclosure requirements and litigation. But the same exposure risks leaking personal data and operationally sensitive details that companies and users prefer remain private. Policymakers, companies, and rights holders will likely use this episode to press for clearer rules on dataset disclosure, creator compensation, and defensive measures against mass automated collection of copyrighted works.



Key Insights Table











AspectDescription
Sourcing DetailLeaked code lists platform-specific ingestion figures, including YouTube Music, Pond5, Deezer, Genius, and podcast RSS plans.
Key QuantitiesNotable counts include 113,879 hours (YouTube Music) and 62,117 hours (Pond5).
Personal Data RiskHacker claims customer emails, phone numbers, and Stripe data were accessed; Suno disputes extensive personal-data compromise.
Regulatory ContextSuno had acknowledged possible inclusion of copyrighted music under California disclosure law; the leak supplies specific operational evidence.
Legal ImplicationsLeaked logs may bolster claims in ongoing lawsuits alleging unlicensed use of copyrighted tracks by AI music platforms.


Afterwards...


Looking forward, the leak will likely intensify scrutiny around dataset provenance, compel some companies to accelerate licensing negotiations with rights holders, and influence pending litigation and regulatory guidance. Policymakers may respond by clarifying disclosure obligations for training data and by strengthening rules around automated scraping of copyrighted material. For creators, the incident underscores the need for clearer mechanisms to discover and, if necessary, contest the inclusion of their work in large training corpora.



At the same time, the security dimension should not be overlooked: organizations building AI products must safeguard both intellectual property and user data from intrusion. The Suno episode demonstrates how operational records—scripts, logs, and source comments—can become the primary evidence that shapes public understanding of how AI systems were constructed. Debates over fair use, licensing, and transparency will continue, but the leaked materials have already shifted the conversation by moving many claims from the abstract to the documentable.


Last edited at:2026/7/17

Claude AI

AI Smart Editor