New evidence from a security breach at AI music startup Suno has exposed the specific sources the company allegedly used to train its music generation model. The hack, which occurred in November 2025, reportedly revealed that Suno scraped audio from YouTube Music, Deezer, Genius, stock music libraries, and podcast RSS feeds. Main Developments According to a report from 404 Media, a hacker gained access to Suno's source code through a supply chain attack. The breach involved stolen employee credentials and allowed the hacker to view the company's training data collection methods. Customer data was also compromised in the incident. The hacker reportedly accessed customer emails, phone numbers, and partial credit card numbers stored in Stripe, the payment processing platform Suno uses. Read also: Why Whatnot's AI Buy Matters for Live Shopping's Biggest Problem Background Suno has previously acknowledged that it trains its AI on publicly available music files from the open internet. The company has argued that using copyrighted material for training falls under the fair use doctrine, a subjective exception within copyright law. Major record labels are currently suing Suno, alleging that its scraping methods violate the Digital Millennium Copyright Act (DMCA). The labels argue that Suno deliberately circumvented YouTube's protections against data scraping, which they claim also breaches YouTube's terms of service. Udio, a competitor to Suno, faces similar accusations of scraping YouTube data for training. Google, YouTube's parent company, is also dealing with copyright infringement allegations from several major book publishers. Why It Matters The breach reveals the specific platforms Suno may have used for training data, which could strengthen the record labels' legal case. If proven, deliberate circumvention of YouTube's scraping protections could establish a pattern of willful copyright infringement. For Suno's customers, the breach poses immediate privacy risks. The exposure of personal data and partial credit card numbers raises questions about the company's security practices and its failure to notify affected users in a timely manner. What's Next Suno has not notified customers about the breach, which occurred in November 2025. The company described the incident as a limited security event that was quickly contained. The ongoing lawsuits from major record labels, combined with the new evidence from the hack, could accelerate legal proceedings. A court may need to determine whether Suno's training methods constitute fair use or copyright infringement under the DMCA.