I opened a leaked folder and the scale hit me before the words did. It felt like a data barn swallowing radio stations whole. For a second it was obvious: millions of clips, hours upon hours, and a company that had been hoovering music off the open web.
I’ve chased tech breaches and courtroom filings for years, and you’ll want clarity, not spin. You should expect blunt facts, names, and what they mean for artists, listeners, and platforms you already use.
A folder labeled with dates sat on an exposed server.
The leak, first reported by 404 Media, contained Suno source code from 2023–2024. That code reads like a scraping playbook: instructions and counters tracking exactly where data came from and how much was taken. The list reads like a who’s-who of music feeds—Genius, YouTube Music, Deezer, Freesound, Pond5, and the International Music Score Library Project among them.
How much music did Suno scrape?
Some of the numbers are blunt and hard to ignore: a file tied to YouTube Music referenced 2,013,545 music clips. The datasets were also quantified by time: 113,879 hours from YouTube Music, 17,615 hours from Genius, and 62,117 hours from Pond5. Those are not estimates—those are counters inside the code.
A Stripe export and an outdated API key sat beside training scripts.
Suno confirmed to Gizmodo that a limited incident happened in November 2025 and said the exposed code was “outdated.” The breach reportedly included customer emails, phone numbers, and Stripe payment metadata; Suno says it does not store full credit card numbers. The company also decided not to notify customers individually, citing applicable privacy laws.
Was Suno’s user data exposed?
The answer is yes, but context matters. Suno’s statement frames the leak as limited and focused on legacy code—still, the presence of customer contact info and payment records is a red flag for anyone who’s ever worried about account security.
A music-law lawsuit file sat next to examples of AI outputs.
Major labels—Universal Music Group, Capitol, Atlantic, Warner, and Sony—have sued Suno. One complaint says a prompt such as “1954 rock and roll billy haley comets” produced an output the labels claim echoes Bill Haley’s melody and style. Suno’s public posture: its models were trained on publicly available music and metadata pulled from the open web, which the company argues is fair use.
Suno has been unusually candid in court filings, admitting its training data “includes essentially all music files of reasonable quality that are accessible on the open internet.” Legal firms like Skadden have tracked the few rulings so far, and judges are split on whether scraping for model training qualifies as fair use.
Can artists get paid if their music was scraped?
That’s the million-dollar question labels are trying to answer in court. Suno appears to be banking on a legal defense or on settling if the ruling goes against them. For creators, the immediate reality is a longer legal fight and uncertain compensation paths.
A public scraping log sat next to a filter that blocked artist names.
Suno claims it built guardrails—blocking prompts that contain artist, song, or album names and preventing uploads that match known works. But plaintiffs point to instances where outputs allegedly replicate existing songs. The existence of both a broad scrape and explicit filters feels contradictory: a company scraping everything while trying to prove it won’t recreate the pieces it took.
This contradiction is the heart of why writers, producers, and labels are alarmed. Imagine building a library by vacuuming entire record stores and then promising you’ll never read a book aloud verbatim—that’s the tension at play. The scrape was massive; the protections, according to critics, are porous.
A public postmortem sat next to regulatory uncertainty.
There’s limited legal precedent, and policy is moving in fits and starts. Suno’s argument rests on public-access scraping and a fair use defense. The labels argue that style and melody can be proprietary and that training on their catalogs without permission harms creators and rights holders.
Industry figures are watching. Platforms named in the leak—YouTube Music, Genius, Deezer, and stock libraries like Pond5 and Freesound—now have to reckon with how their data is reused. Payment processor Stripe surfaces because of customer metadata; regulators will want to know why individual notifications weren’t sent.
For you, whether you’re a listener, an indie artist, or a label exec, this is a moment to ask who controls musical labor and who benefits when machine learning turns songs into training fodder.
An assistant built from scraped music sat beside court filings.
That duality—creative promise and legal peril—is where Suno lives. The company markets tools for original creation and says it intentionally avoided using artist names in training metadata. But the leaked counters suggest a hunger for scale rather than careful curation.
I’ll leave you with one image: Suno’s model looks less like a studio and more like a Trojan horse with playlists sewn into it. The question for artists, listeners, and lawmakers is simple: when companies build on the music of others at this scale, who gets paid and who gets blamed?