Summary

  • A hacker utilized the Shai-Hulud worm to breach Suno in 2025, leaking source code that reveals over 113,000 hours were scraped from YouTube Music, 62,000 from Pond5, and 12,000 from Deezer, among others.
  • The breach also accessed customer emails, phone numbers, and Stripe payment details for what the hacker claims are hundreds of thousands of users.
  • Suno had previously acknowledged in its California compliance disclosure that its training data might contain music "subject to intellectual property protection."

A hacker infiltrated the AI music platform Suno, extracting source code that details the origins of the company's training data.

This breach was initially reported by 404 Media, which analyzed the leaked information. This affirms claims made by the music industry in court since 2024.

The hacker reportedly used malware called the Shai-Hulud worm—named after the massive sandworms from Frank Herbert's Dune. Suno, a leading AI music generator, allows users to input a text description and generate a complete song in mere seconds; achieving this required a vast training dataset comprising various audio files to teach the model about different genres and styles.

The leaked data includes scraping directives and internal logs from 2023 and 2024, providing insight into how these data pipelines were constructed.

The specifics of the dataset breakdown are noteworthy. Internal comments reviewed by 404 Media indicate that the training library comprised 113,879 hours of YouTube Music, 152,162 hours of tagged YouTube tracks, 62,117 hours from Pond5, 12,287 hours from Deezer, and 17,615 hours linked to a dataset labeled genius_hq, which is associated with content collected via Genius. The code also mentioned plans to download approximately 1 million hours of podcast audio through RSS feeds.

‼️ BREAKING: A hacker breached AI music company Suno using the Shai-Hulud worm and released source code showing how its training set was built:

- 113,879 hours of YouTube Music
- 62,117 hours of Pond5
- 12,287 hours of Deezer
- plus Genius lyrics and a plan to download roughly… pic.twitter.com/iSbM8EHeeQ

— International Cyber Digest (@IntCyberDigest) July 16, 2026

An internal file focused on the ingestion of YouTube Music alone recorded 2,013,545 music clips. This reflects a massive collection of recordings spanning decades, and the interest extended beyond just music.

The hacker claimed to have accessed data belonging to hundreds of thousands of users, including emails, phone numbers, and Stripe-related information. However, Suno contests that sensitive personal information was compromised.

The company stated it detected the incident in November 2025, deeming it "limited." Suno concluded that the exposure mainly involved outdated source code no longer in use, and therefore, individual customer notifications were not necessary under applicable privacy regulations. Users are only now learning about this through media reports.

Notably, Suno had already disclosed on its website that such practices were in place. Under California's AB 2013 law—which mandates AI companies to reveal their training methodologies—the firm publicly acknowledged that its training data might include music "subject to intellectual property protection" and listed tens of millions of publicly accessible music audio files. The hack adds specificity to what had been a vague legal disclosure.

Before the breach, the extent of AI music training had already begun to surface. In June 2026, The Atlantic released four searchable databases cataloging music used for training AI models—one with 12 million tracks, another with 9 million, and two more with around 100,000 each. This allowed users to search for their favorite artists even prior to the hacker's release of the source code.

The Recording Industry Association of America had alleged in a 2025 amendment to its original 2024 lawsuit against Suno that the company was directly copying songs from YouTube—an accusation that Suno countered with a fair use defense. The lawsuit sought $150,000 for each infringement. The hacked source code supports the RIAA's primary claim.

Udio, which was also targeted in a related lawsuit by the same major-label coalition, reached a settlement with Warner Music in November 2025 and is currently transitioning to a licensed platform. Meanwhile, Suno's ongoing case with Sony and UMG remains active in federal court, with the company's valuation reported at $5.4 billion and around 100 million users on the platform.

Suno has not yet responded to a request for comment from Decrypt.

Daily Debrief Newsletter

Stay updated every day with the latest top news stories, along with original features, podcasts, videos, and more.