A thread with a siren emoji and the word BREAKING says an analysis of the Suno breach documents an industrial pipeline for training on YouTube music, and it hands you three hard-looking figures: 6.18 million Genius songs indexed, 2.7 million matched to YouTube, a 7.8 terabyte training set. Those numbers travel well because they feel audited, and that is exactly why they deserve a second look before anyone repeats them.
Start with what the breach actually produced. A hacker got into Suno, took source code and training-library details dating to roughly 2023 and 2024, and gave them to 404 Media, which published on July 15. The code names the sources plainly: YouTube Music, Deezer, Genius, plus stock and free catalogs like Pond5, Jamendo, Freesound and IMSLP, and podcasts pulled through RSS. One instruction file lists its inputs as genius_hq, youtube_music, freesound, jamendo, imp, deezer and ytm_tagged, and notes that non-music will be filtered out. There is nothing ambiguous about the intent there.
The scope figures 404 Media took from the code are counted in hours and clips, not songs and terabytes. The youtube_music source shows about 2,013,545 music clips ingested and 113,879 hours. Tagged YouTube tracks add 152,162 hours. Pond5 runs to 62,117 hours, IMSLP to 19,514, Genius to 17,615, Deezer to 12,287, with smaller pulls from Jamendo, Freesound and MuseScore lyrics. The podcast effort reached for something like a million hours across roughly 420,000 shows. The code also describes using Bright Data proxies to get around YouTube's anti-scraping defenses and searching for a cappella versions, which reads like vocal isolation. That is the confirmed core, and it is damning enough on its own.
Where the viral figures come from
Now hold that against the thread. The 6.18 million indexed, the 2.7 million matched, the 7.8 terabytes: none of those appear in 404 Media's reporting, nor in TechCrunch, Variety, Music Business Worldwide, Decrypt, heise or MusicRadar, all of which stayed with the hours-and-clips accounting from the actual files. The terabyte total and the million-song counts trace to a social-media analysis layer sitting on top of the leak. The one outlet that repeats them, Glitchwire, says outright that they are claims circulating on social media that have not been independently verified in their entirety.
This is a common shape. A real document leaks, someone posts a spreadsheet-flavored reading of it, and the reading gets absorbed as if it were the document. The gap between 2 million clips counted in the code and 6.18 million songs asserted in the thread is not a rounding error. It is the difference between something a reporter read in the files and something a bystander computed and presented with a siren.
The images attached to the thread make the point for me. The evidence a reader expects to see, the charts and the code, is not there.

The other attachment is simply the Suno wordmark on an orange gradient. Between a logo and a meme, the post carries zero pages of the code it claims to summarize. That does not make the underlying story false. It means the specific numbers being amplified rest on an analysis you cannot see, attached to pictures that prove nothing.
Three claims worth separating
There are really three distinct assertions tangled together here, and they carry different weights.
- Suno scraped copyrighted music from YouTube and other public sources. Well supported by the leaked code and consistent with what Suno already conceded in court.
- The scraping was targeted and industrial by design. Plausible, and the filtering instructions and proxy use lean that way, though part of it is inference.
- The exact volumes, the 6.18 million and 2.7 million and 7.8 terabytes. Unconfirmed, sourced to social analysis, and not something to launder into fact.
Suno's own posture matters too, and not because a company statement is proof. It confirmed a November incident it says was quickly contained and describes the exposed material as outdated source code no longer in use. Its substantive defense is that it trained on publicly available music and metadata and that this is transformative fair use. Worth remembering that Suno told a federal court more than a year ago that it trained on essentially all reasonable-quality music files on the open internet, and under California's AB 2013 disclosure rule it acknowledged the training data may include material under intellectual property protection. The admission of scale is not new. What the breach adds is the mechanism.
The parts that will actually move
The major labels sued Suno and Udio in June 2024 through the RIAA, Suno's case in Massachusetts and Udio's in the Southern District of New York. The labels later amended to allege Suno ripped directly from YouTube, and the leaked code reads as corroboration of that. Warner broke ranks in late November 2025, settled, struck a licensing partnership, and Suno picked up Songkick in the bargain. Universal and Sony are still in it. Whether YouTube and Google do anything about their own material being pulled through proxies is the open question nobody has answered; YouTube Music and Genius reportedly did not respond to press, and Deezer said it was weighing options.
The quieter story is the collateral one. The same intrusion reportedly reached customer emails, phone numbers and Stripe payment details for a large number of users. That is a concrete harm to ordinary people, and it has gotten a fraction of the attention the training-data angle drew, which tells you something about what a music-scraping headline is worth versus a privacy breach that only touches the paying customers.
The scraping happened. The court fight will turn on what counts as fair use and how much of the archive the labels can put in front of a judge, not on a terabyte figure that no reporter has been able to stand behind. Keep the confirmed numbers and drop the siren.