We knew Suno was fond of other people’s music. A hack has just transformed suspicions into detailed inventory: millions of titles sucked up from YouTube, Deezer and Genius to train the AI. Two weeks before a decisive verdict in Germany.
Music-generating AIs, like LLMs, are fueled by data, and no one really knows where the fuel comes from. Suno, one of the most prominent platforms in the sector, has been facing lawsuits from major record companies since 2024, who accuse it of having plundered their catalogs to feed its model. The company defends itself by invoking the fair usethis principle of American law which tolerates certain uses of protected works and repeatedly invoked by AI giants to defend themselves against accusations of intellectual property theft. A hack has just seriously complicated its line of defense: the stolen source code details, platform by platform, the extent of the aspiration.
A music vacuum cleaner connected to YouTube and Deezer
The exfiltrated code, dated 2023 and 2024, reads like an inventory of carefully labeled training libraries. Only one, called “youtube_music”, lists more than two million extractsor tens of thousands of hours of music. The rest draws from Deezer, from Genius (whose lyrics, it should be remembered, are protected texts in the same way as a song), from the Pond5 and Jamendo sound banks, or even from some 420,000 podcasts harvested for nearly a million hours of audio. Nothing resembling random collection, everything like methodical and organized ingestion.
The technical process used says a lot about the deliberate nature of the operation. To cross the protections anti-aspiration de YouTubethe code passed its requests through a commercial infrastructure of relay servers, Bright Data, which makes it possible to change addresses continuously (the principle of the customer who, to avoid the toll, would take a thousand different little roads). Routines even specifically looked for a cappella versions of pieces, just to recover very clear vocals. None of this is really a surprise: in court, Suno has already admitted to having trained on “virtually all music files of decent quality” publicly accessible, and on tens of millions of records. The leak simply turns this vague admission into a precise count, platform by platform, hour by hour.
July 31, a verdict that matters for all of AI
A highly anticipated judgment is due to be rendered in Munich on July 31, in the case between Suno and the German rights management company GEMA (the local Sacem, in short). The chamber concerned is not just any chamber: it is the same one, with the same judge, who condemned OpenAI in November 2025 for the use of song lyrics. A victory for GEMA would be the first European decision to confirm that training a musical AI requires a license. And German law would make it possible to apply it immediately, even in the event of an appeal, with a possible injunction on Suno’s European activities.
Read also: Three publishers, including Hachette, accuse Google Gemini of having looted millions of books
The relay server affair adds another layer to the case. Circumventing technical protection is illegal in itself in the United States, regardless of the fair use debate. Even if Suno ultimately convinces a court that training falls under transformative use, this issue of circumvention would remain on the table. THE American trial has been postponed until April 2027. In the background, a French market which weighs 1.03 billion euros and has 17.7 million streaming subscribers, and creators who observe the battle very closely. For European Suno users, the hack also has a second piece of bad news: it also exposed customer data (email addresses, telephone numbers, bank card fragments) from an intrusion in November 2025 of which the company never notified the people concerned.
Suno boss Mikey Shulman recently said that most people don’t really enjoy the time they spend making music. Artists whose works trained his model will appreciate the formula. Whatever the Munich court decides, its response will draw a line for all generative AI that has ever touched a protected file. And for the curious who were quietly composing their hits on the application, a reminder is in order: their data, too, was lying around in the leak.
👉🏻 Follow tech news in real time: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
Source :
404 Media
