404media.co web signal

Suno hack reveals scraped YouTube, Deezer, podcast training audio

TL;DR

  • A hacker using the handle ellie.191 breached Suno via the Shai-Hulud npm worm, taking 2023-2024 source code and customer Stripe details.
  • Leaked files reportedly show 2,013,545 YouTube Music clips, plus scraped hours from Deezer, Genius, Pond5, and roughly 1 million podcast hours.
  • The disclosure lands mid-RIAA lawsuit over alleged 'stream ripping,' with Suno already having conceded broad scraping of 'the open internet' in filings.

There is a specific kind of interesting when a security breach lands in the middle of an active copyright lawsuit, because it turns a lawyer's theory of the case into a document. That is what happened to Suno, the generative-music startup, according to 404 Media. A hacker going by the handle ellie.191 reportedly exploited the Shai-Hulud npm supply-chain worm to pull source code from 2023 and 2024 out of Suno, along with customer emails, phone numbers, and Stripe payment details, and then handed the material to reporters. The hacker told 404 Media they had 'no specific motivation for hacking Suno.'

The files spell out, in inventory form, where Suno's training audio came from. The reporting lists 2,013,545 clips from YouTube Music running to 113,879 hours, 12,287 hours from Deezer, 17,615 hours from Genius, 62,117 hours from Pond5, 3,726 hours from Jamendo, 19,514 hours from the International Music Score Library Project, and around a million hours of audio pulled from roughly 420,000 podcasts identified through RSS feeds. Code inside the leak reportedly used Bright Data, a commercial scraping infrastructure provider, to extract from YouTube, and included routines that specifically searched for acapella versions of songs.

The reason that matters is legal, not just embarrassing. The RIAA has been suing Suno for what it calls 'stream ripping' from YouTube, and Suno's own court filing already conceded its 'training data includes essentially all music files of reasonable quality that are accessible on the open internet.' A leaked inventory that names Deezer, Genius, Pond5, and YouTube by hour count moves that argument from RIAA allegation to Suno document. Suno's public position is still that training on copyrighted works is fair use.

The honest caveat is that Suno told 404 Media the leaked material is 'outdated source code that is no longer in use' and that 'no sensitive personal information was compromised,' while confirming it had been the subject of a 'limited security incident' discovered in November 2025 and declining to notify affected customers individually. What the reporting doesn't give you is whether the current training pipeline still uses the same sources at the same scale, or how a court will weigh leaked internal documents against the company's own filings.

The forward-looking part, for anyone building or investing around generative audio, is that the discovery phase in these cases just got a lot cheaper for plaintiffs. Every AI music and voice startup that scraped from consumer platforms should assume its ingestion inventory is one breach or one subpoena away from being on the record.

Shared on Bluesky by 9 AI experts (top 5 by trust)