Hacked Suno Source Code Reveals 2 Million YouTube Clips and 62,000 Hours of Pond5 Audio Scraped for AI Training
Leaked Suno source code reveals 2 million YouTube clips and 62,000 hours of Pond5 audio scraped for AI training — the most concrete evidence yet of the company's data practices.
A hacker breached Suno’s systems months ago and walked out with something the AI music industry has never voluntarily surrendered: its own source code. That stolen code, shared with 404 Media, documents in precise detail exactly where the company sourced the training data behind its generative music platform. And the receipts are damning.
The leaked code names names. YouTube Music, Deezer, Genius, Pond5 — spelled right out as data sources. According to figures cited in a LinkedIn post by Peter Madigan referencing the leak, Suno scraped roughly 2 million clips from YouTube Music alone. Pond5, a stock-music and sound-effects marketplace, kicked in some 62,000 hours of audio. And it wasn’t just commercial tracks. 404 Media describes the haul as “decades worth of music and podcasts from the internet,” spanning audio recordings, lyrics pulled from Genius, and spoken-word content.
This is the first time. The first time internal documentation of Suno’s data-collection practices has surfaced publicly, that is. AI music companies have consistently refused to disclose their training data sources, citing competitive sensitivity and, in some cases, pending litigation. The leak strips that ambiguity clean away. The code doesn’t hedge — it names platforms, spells out scraping routines, and quantifies the volume of copyrighted material ingested into the system.
Awkward Timing for Suno
The company is already a defendant in a copyright infringement lawsuit brought by the RIAA on behalf of major record labels, filed in the District of Massachusetts back in June 2024, and that suit alleges Suno trained its models on vast quantities of copyrighted recordings without license. Now the leaked source code hands over potential evidentiary context — a roadmap, in effect, of exactly the kind of systematic scraping the labels have alleged. To be clear: the hack and subsequent leak are separate events from the RIAA litigation. The breach happened months before the leak went public, and no direct connection between the two has been established. But the code gives plaintiffs and their attorneys something concrete to point at. Internal documentation, not inference.
Decrypt and Yahoo Tech later covered the story too, confirming multi-outlet corroboration of the leak’s existence and the platforms named in the code. The core findings have held across reports.
Suno hasn’t publicly responded to the specific allegations arising from the leaked source code. Silence. It follows a pattern common among AI firms facing training-data scrutiny — say nothing about the data, argue fair use in court, let the litigation grind on. Whether that strategy survives the arrival of internal code that appears to document the scraping of millions of clips from named platforms? Open question.
Why the Pond5 Angle Matters
The Pond5 angle carries particular weight. Pond5 is a stock-media platform where contributors license their work for specific commercial uses — film scores, advertisements, video productions — under defined terms. Scraping that catalog wholesale for AI training without a license would likely violate those terms outright, and contributors who uploaded royalty-licensed tracks may have claims that reach beyond the platform itself. YouTube Music and Deezer raise separate but related issues: both host copyrighted recordings under licensing agreements with rights holders that almost certainly do not include redistribution into third-party AI training corpora.
What Makes This Leak Different
What makes the leaked code so significant is its specificity. Prior reporting on AI training practices — across music, text, and image generation — has leaned on forensic analysis, output similarities, and court filings to infer what data was used. The Suno leak is different. It’s the company’s own engineering documentation, written for internal eyes, describing the ingestion pipeline in operational terms. You don’t have to guess what Suno scraped. The code says what it scraped, where it scraped it from, and roughly how much.
For an industry that has built its competitive moat on data secrecy, that’s a breach with few precedents. The RIAA litigation will proceed on its own timeline in the District of Massachusetts, but the leaked code now sits in the public domain — available to plaintiffs, to platform operators whose terms were potentially violated, and to contributors who may never have consented to having their work fed into a machine learning model. Watch for Suno’s next court filing in the RIAA case, where the company will likely be forced to address the code directly.