**AI Music Company Suno Breached: Source Code and Training Data Exposed**
A hacker using the Shai-Hulud worm breached Suno in 2025, leaking source code that details the origins of the company’s training data. The intrusion exposed not only proprietary information about how Suno builds its AI models but also customer data, raising serious privacy and security concerns.
### What Was Leaked?
The hacker, who described using the Shai-Hulud worm—named after the giant sandworms from *Dune*—gained access to internal logs and scraping instructions from 2023 and 2024. According to reviewed documents, the training dataset included:
– **113,879 hours** of YouTube Music
– **152,162 hours** of tagged YouTube tracks
– **62,117 hours** from stock music library Pond5
– **12,287 hours** from Deezer
– **17,615 hours** from a dataset called “genius_hq,” linked to Genius lyrics
The code also revealed plans to scrape approximately **1 million hours of podcast audio** via RSS feeds. One internal file reportedly tracked over **2 million music clips** from YouTube Music alone.
### Customer Data Compromised
Beyond training data, the intruder claimed to have accessed records associated with **hundreds of thousands of users**, including:
– Email addresses
– Phone numbers
– Stripe payment information
Suno has disputed that sensitive personal data was exposed, stating the breach involved outdated source code no longer in use and that individual notifications were not required under privacy laws. The company said it identified the incident in November 2025 and characterized it as “limited.”
### Context and Industry Implications
Suno had previously acknowledged—required by California’s AB 2013 law—that its training data may include music “subject to intellectual property protection.” The leaked materials provide concrete detail to those vague disclosures.
This breach corroborates long-standing accusations from the music industry. In 2024 and 2025, lawsuits filed by the Recording Industry Association of America (RIAA) alleged that Suno was scraping songs from YouTube without authorization. The RIAA had sought statutory damages of up to **$150,000 per infringement**. The leaked code appears to support those claims.
Meanwhile, competitor Udio settled with Warner Music in November 2025 and is transitioning to a licensed model. Suno’s ongoing legal battles involve Sony and Universal Music Group, and the company remains valued at **$5.4 billion** with around **100 million users**.
—
### FAQ
**Q: What is the Shai-Hulud worm?**
A: It is a type of malware used in the breach, named after the giant sandworms from Frank Herbert’s *Dune* universe.
**Q: Which platforms were scraped for training data?**
A: According to the leak, Suno’s training data came from YouTube Music, Pond5, Deezer, and Genius.
**Q: Did customer data get exposed?**
A: Yes. The hacker claimed access to emails, phone numbers, and Stripe payment data for hundreds of thousands of users. Suno disputes that sensitive information was compromised.
**Q: Was Suno aware of its data sources?**
A: Yes. Under California law, Suno publicly disclosed that its training data may include music “subject to intellectual property protection.”
**Q: What legal consequences does Suno face?**
A: The RIAA lawsuit seeks up to $150,000 per alleged infringement. Suno’s cases with Sony and Universal Music Group are still active in federal court.
—
### Conclusion
The Shai-Hulud worm breach has pulled back the curtain on AI music training practices, revealing the vast scale of data scraping involved. For Suno, the leak confirms long-standing industry allegations and complicates its legal and public relations position. As regulators and creators continue to grapple with AI’s impact on music, this breach serves as a stark reminder of the risks and responsibilities inherent in building generative AI systems on copyrighted material.



