Menu
Browse

Cyber Incident Victim: Suno

Date:

Nov 2025

Location:

Summary

Suno was compromised through a supply chain attack that gave an intruder access to employee credentials and source code revealing the firm’s alleged collection of audio from YouTube Music, Deezer, Genius, stock music libraries and podcast RSS feeds. The breach also exposed customer information including email addresses, phone numbers and partial credit card numbers processed via Stripe, though the company characterized the event as a limited security incident that was quickly contained and did not inform affected users. The company has maintained that its AI training relies on publicly available music files under fair use, a position contested by major record labels who accuse it of violating the Digital Millennium Copyright Act by bypassing YouTube’s anti‑scraping measures.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

In November 2025, a hacker conducted a supply chain attack that compromised an employee’s credentials at Suno, according to a report from 404 Media. Using those credentials, the attacker gained access to Suno’s source code, which allegedly revealed that the company had scraped decades of audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds for training its AI music generator. The same intrusion allowed the hacker to obtain customer data, including emails, phone numbers, and partial credit card numbers stored in Stripe. Suno did not inform its customers about the November 2025 breach.

Cyber Incident Image

Suno had previously stated that it trains its AI on “publicly available music files” from the open internet and argues that this falls under the fair use doctrine of copyright law. Major record labels that are suing Suno contend that deliberately bypassing YouTube’s anti‑scraping measures violates the Digital Millennium Copyright Act and YouTube’s terms of service. Udio, a competitor of Suno, has faced similar accusations of scraping YouTube data. Google, the parent company of YouTube, is also confronting copyright infringement claims from several major book publishers.

Suno characterized the incident as a “limited security incident that was quickly contained,” though it provided no further details about the containment measures taken. The company did not notify customers about the November 2025 breach, despite the exposure of emails, phone numbers, and partial credit card numbers. The source code that was accessed allegedly shows how Suno scraped audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds. No additional information about remediation or follow‑up actions was provided in the source material.

Sources
Sources available to members
3 sources