
The company says it was breached in November and "no sensitive personal information was compromised."
bella1105/Shutterstock
Suno — an app that vomits out soulless audio in the form of AI-generated "music" — has been hacked. According to 404 Media, the hacker accessed data related to Suno's training practices, as well as details on its customers.
It's not exactly a secret at this point that copyrighted music has been used for AI training. Last month, The Atlantic dug into datasets containing millions of songs that are used for such purposes.
Still, this hack sheds some more light on Suno's data vacuuming practices. Data the hacker provided to 404 Media indicated that Suno scraped music and lyrics from the likes of YouTube Music, Deezer and Genius, as well as stock music libraries. The company may have used proxy services to scrape music from YouTube, including acapella versions of songs, per the report. It appears Suno used RSS feeds to scrape hundreds of thousands of podcasts too.
Suno has faced a copyright infringement lawsuit from record labels in the US. Late last year, Warner Music Group dropped out of the case as it reached a licensing deal with Suno. Back in 2024, Suno admitted in a court filing that its systems scraped "tens of millions of recordings" from the internet to use as training data, arguing that its approach constituted "fair use under copyright law."
To obtain the data, the hacker said they hit a Suno employee with a worm that allowed them to access credentials for GitHub and cloud services. Along with the details about Suno's music-scraping practices, they reportedly obtained its customer list. This is said to have information regarding hundreds of thousands of Suno customers, including email addresses and phone numbers.
Suno confirmed the hack in a statement to 404 Media. A spokesperson, who also noted that the company has systems that try to prevent users from replicating artist's existing music, said:
As we have stated in public filings and disclosures, Suno's AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet. In November of 2025, we determined that Suno had been the subject of a limited security incident that was quickly contained. At the time, we immediately conducted an investigation and verified that the incident primarily involved outdated source code that is no longer in use at Suno and that no sensitive personal information was compromised. Importantly, Suno does not have access to customers' full credit card numbers in Stripe.
Based on the limited nature of the customer information believed to be involved, we determined that individual notifications were not warranted under applicable privacy laws.
View original source — Engadget ↗
