Crypto

Suno leak points to YouTube, Deezer and Pond5 in AI training data

404 Media reported leaked Suno code showing large audio scrapes, adding new detail to the AI music company’s data practices and breach exposure.

Theo Nakamura

By Theo Nakamura · Staff Writer

· 3 min read

Suno leak points to YouTube, Deezer and Pond5 in AI training data
Photo: Decrypt

Leaked internal files from AI music startup Suno show the company drew on large libraries of audio from YouTube Music, Pond5, Deezer and other platforms to build training data, according to 404 Media. For investors watching the AI boom, the report highlights a key risk around generative AI companies: the data that makes their products work can also create legal, privacy and reputational exposure.

Suno lets users enter a written prompt and receive a complete song within seconds. That kind of system depends on training data, meaning audio and related information used to teach an AI model how musical styles, genres and sounds are structured.

404 Media reported that a hacker breached Suno in 2025 using malware called the Shai-Hulud worm and obtained source code. The outlet said it reviewed leaked files containing scraping instructions and internal logs from 2023 and 2024, which described how Suno’s data pipelines were assembled.

What the leaked files reportedly show

According to internal file comments reviewed by 404 Media, Suno’s training library included 113,879 hours of YouTube Music, 152,162 hours of tagged YouTube tracks, 62,117 hours from stock music library Pond5, 12,287 hours from Deezer, and 17,615 hours in a dataset labeled genius_hq, linked to material collected through Genius.

The leaked code also documented plans to download about 1 million hours of podcast audio through RSS feeds, according to 404 Media. RSS feeds are web links that allow apps and services to automatically fetch newly published audio or text from a publisher.

The report gives unusually specific numbers for a question that has followed AI music companies for years: which songs, clips and catalogs are used to train models. In 2024, the music industry had already raised claims in court about Suno’s use of copyrighted music, according to the report.

The breach also involved user data, the hacker claimed

The same intrusion reached customer emails, phone numbers and Stripe payment data, according to the hacker’s description reported by 404 Media. The hacker described the affected group as hundreds of thousands of users.

Stripe is a payments processor used by many online services. Payment data can vary in sensitivity depending on what information a company stores or can access through its payment provider, but the report did not detail the exact fields exposed beyond the hacker’s description.

Suno’s own California compliance disclosure had already said its training data may include music “subject to intellectual property protection,” according to 404 Media. That disclosure matters because intellectual property protection covers rights such as copyright, which can restrict how creative works are copied, distributed or used.

The leak adds fresh detail to a broader fight over generative AI economics. AI music services need large amounts of audio to improve their systems, while artists, labels and platforms argue over whether that material can be used without permission, licenses or compensation. The reported Suno files do not resolve those legal questions, but they offer a clearer view of the scale and sources of the data 404 Media says appeared in the company’s internal code.

This story draws on original reporting from Decrypt.

More from Crypto

All Crypto