The cyber attack against Suno strengthened the fight that the platform scrapes unauthorized information from YouTube and other sources. Details are in our news.
Popular music production platform Suno faced a recent cyber attack. According to the report shared by 404 Media, the attackers managed to infiltrate the company’s systems.
The attacker stated that he obtained an employee’s credentials through a supply chain attack. Thanks to this access, the attacker reached the source codes of the platform and shared details revealing how Suno collected educational information.
Data scraping these processes and legal processes
Obtained source codes show that Suno collected decades of audio data from YouTube Music, Deezer, Genius, stock music libraries and podcast RSS feeds. In its previous statements, the company admitted that it trained its artificial intelligence with publicly available music files on the internet.
Suno states that it defends this process under the fair use doctrine in copyright laws. But major record labels suing the platform argue that circumventing YouTube’s scraping defenses violates the Digital Millennium Copyright Act (DMCA).
It is also among the arguments that this action violates YouTube’s terms of service. For example, Udio, Suno’s rival, is accused of using YouTube data without permission.
Google, YouTube’s umbrella company, is also facing lawsuits filed by various publishers due to copyright violations. This further deepens the debate about the source of information used in the training processes of artificial intelligence models.
User information and security breach
The cyber attack affected not only source codes but also user information. The attacker reportedly accessed customer email addresses, phone numbers, and partial credit card information on Stripe.
Suno did not inform its users about this security breach, which occurred in November 2025. The company claims that the incident was a limited security incident and was quickly brought under control.
What do you think about Suno’s training data collection formula and the information breach?