Suno hack report points to YouTube scraping claims
404 Media reported that a hacker accessed Suno code and customer data, adding pressure to the AI music startup’s copyright and security fights.
By Jordan Bell · Startups & Deals Reporter
· 3 min read
A reported breach at Suno is raising fresh questions about how the AI music company built its training data, and whether users’ information was exposed. For investors tracking the AI boom, the case shows how copyright risk and data security can hit the same startup at once.
404 Media reported that a hacker said they used a supply chain attack to get an employee’s credentials and reach Suno’s source code. A supply chain attack targets a company through a third-party system, vendor, or dependency rather than breaking directly through the front door.
According to 404 Media, the code the hacker accessed showed how Suno allegedly collected decades of audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds. The report did not say that Suno had publicly confirmed those specific scraping claims.
Suno has previously said in a help article that it trains its AI systems on “publicly available music files” from the open internet. The company has argued that this kind of training can qualify as fair use, a copyright-law defense that can allow limited use of protected works depending on the facts of the case.
Why YouTube scraping is legally sensitive
The major record labels suing Suno have argued that the company’s conduct is unlawful under the Digital Millennium Copyright Act, according to reporting cited by TechCrunch. The DMCA is a U.S. copyright law that, among other things, bars certain efforts to get around technical protections on digital content.
The labels’ argument focuses in part on YouTube’s anti-scraping protections. Scraping means using automated tools to collect data or media from online services. The labels say deliberately bypassing YouTube’s limits would violate the DMCA and YouTube’s terms of service, according to TechCrunch.
That dispute matters beyond Suno because AI companies often need large datasets to train models. In music, the data can include recordings, lyrics, and other copyrighted material controlled by artists, publishers, labels, and platforms. If courts reject broad fair-use arguments, AI firms could face higher licensing costs or limits on what material they can use.
Suno is not the only AI music company facing these claims. TechCrunch reported that Udio, a Suno rival, has also been accused of scraping YouTube audio. Google, YouTube’s parent company, is also facing copyright-infringement allegations from major book publishers over AI training, according to TechCrunch.
Customer data was reportedly accessed
The breach report also included a security issue for Suno users. The hacker reportedly accessed customer information, including email addresses, phone numbers, and partial credit card numbers held in Stripe, according to 404 Media reporting cited by TechCrunch.
TechCrunch reported that Suno did not alert customers about the breach, which occurred in November 2025. Suno described the event as a “limited security incident that was quickly contained,” according to TechCrunch.
The incident adds another layer to Suno’s already high-stakes position. TechCrunch has reported that the company raised another $400 million while still facing copyright lawsuits. The new reporting does not resolve those lawsuits, but it may give rights holders more material to scrutinize as they challenge how AI music tools are trained.
For users, the immediate concern is data exposure. For the broader AI market, the bigger issue is whether fast-growing model companies can prove that their training practices and security controls are strong enough to support the valuations and user trust they are trying to build.
This story draws on original reporting from TechCrunch.