A supply chain attack allowed a hacker to view Suno’s source code and access customer data, revealing that the AI music generator scraped audio from YouTube Music, Deezer, Genius, and podcast RSS feeds. The intrusion occurred when the attacker compromised an employee’s credentials to reach the codebase, exposing evidence that Suno trained its models on decades of copyrighted material. Although Suno previously defended its approach by citing fair use doctrine, major record labels argue this method violates the Digital Millennium Copyright Act and YouTube’s terms of service. The breach also exposed customer emails, phone numbers, and partial credit card details stored in Stripe, yet the company did not notify users about the November 2025 incident. Suno described the event as a limited security issue that was quickly contained, a statement that stands in contrast to the severity of the exposed information.
This situation matters because it highlights the legal risks facing AI firms that rely on unauthorised data collection to build commercial products. The conflict centres on whether training on publicly available internet content constitutes legal fair use or constitutes copyright infringement under current US law. Competitors like Udio face similar accusations, while Google confronts comparable legal challenges regarding book publishers. The lack of customer notification regarding the data breach further complicates Suno’s position on security and transparency.
- The breach exposed partial credit card numbers via Stripe.
- Suno failed to inform customers about the November 2025 incident.
- Record labels claim the scraping violates the DMCA.




