Technology

A Leaked Data-Prep File Itemizes How Suno Was Trained

The scraping was already admitted in court. What the breach added was the accounting, the proxies, and a customer database Suno decided nobody needed to hear about.

Manish Singh/July 16, 2026/5 min read

Suno told a federal court more than a year ago that it trained on "essentially all music files of reasonable quality that are accessible on the open Internet." So the headline that an AI music company scraped the web is not news. The company signed that admission itself. What changed in November 2025 is that someone got inside and pulled out the source code, and the code does not speak in the careful language of a legal filing. It counts.

404 Media, which received the material directly from the person who breached Suno, published the details, and every other outlet you have seen on this is working downstream of that report. The core artifact is a data-prep routine with a commented block that names each source and tallies its hours. It reads like an invoice for a heist that no invoice was ever meant to exist for.

Screenshot of a prep_data function with a comment block listing dataset names and hour counts, and a terminal showing 135,011 hours of youtube_music
The leaked prep_data block itemizes the training corpus by source and hours, and the terminal at the bottom shows a later run reaching 135,011 hours of YouTube Music.

The numbers in that block: 113,879 hours of YouTube Music, 62,117 of Pond5, 19,514 from the International Music Score Library Project, 17,615 of Genius, 12,287 of Deezer, 3,726 of Jamendo, 410 of Freesound, plus separate lyric splits and foreign-language variants, and a line reading 152,162 hours of something labeled ytm_tagged. The terminal underneath shows a later run that had already climbed to 135,011 hours of YouTube Music, and elsewhere the code notes a single file that had ingested 2,013,545 music clips. The viral summary that made the rounds cited three of these lines. The file is longer and more granular than that, which is the whole point. This is not a vague confession of ambition. It is a register of exactly what was taken and from where.

The part that is harder to argue away

Fair use is the fight everyone expects, and Suno will keep making that argument. There is a separate exposure in the code that does not get a fair-use defense at all. According to the reporting, Suno routed its scraping through Bright Data, a commercial proxy service, to rotate IP addresses and get past YouTube's anti-bot protections, and other code searched specifically for acapella versions of tracks to isolate vocals.

Circumventing a technological measure that controls access to a copyrighted work is independently actionable under Section 1201 of the DMCA. You do not have to prove the underlying use was infringing, and fair use is not a shield against it. The RIAA had already alleged in court that Suno ripped songs straight from YouTube. The hacked data, as 404 Media describes it, corroborates that allegation with the plumbing. That is a different and harder problem than the one Suno has been preparing to litigate.

The customers nobody told

The same intrusion reached a customer list: emails, phone numbers, and Stripe payment data for what the hacker says is hundreds of thousands of users. Suno's account is that the breach was quickly contained, that it primarily exposed outdated source code no longer in use, that no full credit card numbers are retained, and that because the incident was limited it did not feel obligated to notify anyone.

Massachusetts, where Suno is headquartered, requires notification when a resident's email or phone number is accessed by an unauthorized party. The customers who spoke to 404 Media said they were never told. "We decided you did not need to know" is a corporate posture, not a legal exemption, and the gap between the two is exactly the kind of thing a state attorney general exists to close. Read the incentive plainly. A company mid-settlement with record labels, raising money at a reported 2.45 billion dollar valuation, has every reason to keep an unflattering breach quiet and to describe stolen source code as merely outdated.

How one credential became the whole company

The hacker attributes the entry point to Shai-Hulud, a self-replicating npm supply-chain worm. Treat that attribution as the hacker's claim rather than settled forensics, because the outlets describe the vector generically as a supply-chain attack on an employee's credentials, and no independent report has confirmed the specific worm. The timing does fit. A more aggressive wave, called Shai-Hulud 2.0, hit npm in November 2025, the same month Suno dates the incident.

The mechanics are worth understanding even if the name stays provisional, because they explain how a single compromised developer becomes a full source and customer-database leak.

  • It harvests credential files sitting on disk and runs Trufflehog to hunt for secrets.
  • It calls the cloud metadata service on AWS, Azure, and Google Cloud to steal short-lived workload credentials.
  • It uses the victim's own npm credentials to backdoor their published packages and spread further.
  • The 2.0 variant runs during pre-install rather than post-install, which widens the blast radius across developer machines and build pipelines.

None of that requires a nation-state. It requires one developer to install the wrong package, and a company that kept training code and customer records reachable from the same set of credentials.

Where this actually gets decided

The label lawsuits are resolving unevenly. Universal settled with Udio in October 2025. Warner settled with both Udio and Suno in November, and Suno says it plans to move to licensed models in 2026. Sony and Universal are still litigating against Suno in Massachusetts, where the schedule pushes dispositive motions out to 2027, so there is no imminent US ruling to wait for. The nearer test is in Munich, where GEMA's case against Suno has a verdict scheduled for 31 July 2026, before the same court that ruled against OpenAI in November 2025. A win for GEMA would be the first major European decision that AI platforms need authorization to train on copyrighted music.

There is a business shape underneath all of this that the settlements make visible. Operate first on other people's work, get sued only by the parties large enough to sue, then buy your way to legitimacy through licensing deals with those same parties. The labels get paid. The catalogs get cleaned up going forward. The independent musicians whose hours sit inside that prep-data file, the ones with no one to negotiate on their behalf, stay in the training corpus, uncredited and uncompensated, while the company that took them raises another quarter of a billion dollars. The breach did not create that arrangement. It just printed the receipt.