A hacker has handed 404 Media internal material from Suno that appears to itemize where the AI music generator got its training audio — and the largest single source listed is YouTube Music. The report, published July 15 by Jason Koebler, arrives while Suno is being sued by record labels who allege precisely that.
What was taken
The material stems from a supply-chain attack in November 2025 that compromised an employee's credentials and exposed Suno's source code. What the hacker provided is source code from 2023 and 2024, scraping configuration files and dataset-scope documentation — not strategy memos or executive correspondence. Customer data including emails and phone numbers was also caught up in the breach. Suno confirms the November timing. No other outlet has independently authenticated the files.
The numbers in the files
The documentation lists 2,013,545 YouTube Music clips totaling 113,879 hours, plus a separate "YTM Tagged" set of 152,162 hours. Below that: Pond5 at 62,117 hours, IMSLP at 19,514, Genius at 17,615, Deezer at 12,287, Jamendo at 3,726 and Freesound at 410. Roughly 1 million hours came from about 420,000 podcasts via RSS feeds. Representatives for YouTube Music, Deezer, Genius and the stock libraries did not respond to 404 Media's requests for comment.
What Suno said
Suno did not dispute the scraping. "As we have stated in public filings and disclosures, Suno's AI models have been trained on publicly available music files and related metadata accessible on third-party websites on the open Internet," a spokesperson said, adding that in November 2025 the company "determined that Suno had been the subject of a limited security incident that was quickly contained." The spokesperson said the incident "primarily involved outdated source code that is no longer in use" and that no sensitive personal information was compromised. In court, Suno has already admitted training on "essentially all music files of reasonable quality that are accessible on the open internet."
Why the files matter legally
The labels' September 2025 amended complaint added a DMCA §1201 anti-circumvention theory — that Suno bypassed YouTube's "rolling cipher" to rip audio — with the RIAA seeking $2,500 per act of circumvention on top of per-work damages. Suno argues the cipher is a copy control, not an access control. Warner Music settled in November 2025, licensing its catalog and selling Songkick to Suno; UMG and Sony remain plaintiffs. No court has ruled on fair use or circumvention.
