Cyber Incident Victim: Suno
Date:
Nov 2025
Location:
—
Summary
Suno was compromised through a supply chain attack that gave an intruder access to employee credentials and source code revealing the firm’s alleged collection of audio from YouTube Music, Deezer, Genius, stock music libraries and podcast RSS feeds. The breach also exposed customer information including email addresses, phone numbers and partial credit card numbers processed via Stripe, though the company characterized the event as a limited security incident that was quickly contained and did not inform affected users. The company has maintained that its AI training relies on publicly available music files under fair use, a position contested by major record labels who accuse it of violating the Digital Millennium Copyright Act by bypassing YouTube’s anti‑scraping measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2025, a hacker conducted a supply chain attack that compromised an employee’s credentials at Suno, according to a report from 404 Media. Using those credentials, the attacker gained access to Suno’s source code, which allegedly revealed that the company had scraped decades of audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds for training its AI music generator. The same intrusion allowed the hacker to obtain customer data, including emails, phone numbers, and partial credit card numbers stored in Stripe. Suno did not inform its customers about the November 2025 breach.

Suno had previously stated that it trains its AI on “publicly available music files” from the open internet and argues that this falls under the fair use doctrine of copyright law. Major record labels that are suing Suno contend that deliberately bypassing YouTube’s anti‑scraping measures violates the Digital Millennium Copyright Act and YouTube’s terms of service. Udio, a competitor of Suno, has faced similar accusations of scraping YouTube data. Google, the parent company of YouTube, is also confronting copyright infringement claims from several major book publishers.
Suno characterized the incident as a “limited security incident that was quickly contained,” though it provided no further details about the containment measures taken. The company did not notify customers about the November 2025 breach, despite the exposure of emails, phone numbers, and partial credit card numbers. The source code that was accessed allegedly shows how Suno scraped audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds. No additional information about remediation or follow‑up actions was provided in the source material.
