The code also suggested that Suno was using proxies to scrape songs from YouTube through a company called Bright Data, which sells scraping tools, infrastructure, and data services. Additional code shows that with the help of an online tool called PodcastIndex, Suno identified 420,000 different podcasts that had at least five, 30-minute episodes and sought to download roughly 1 million hours of podcasts

The hacker, ellie.191, told 404 Media they breached the company by hacking an individual employee using the Shai-Hulud worm, a supply chain attack that allowed hackers to harvest GitHub and cloud service credentials. They said they also accessed Suno’s customer list, which included customers’ emails and/or phone numbers and Stripe payment details, depending on what they used to login. The hacker provided a sample of some of the customers, some of whom confirmed to 404 Media they had used their phone number to sign up for Suno and said they were never notified of a breach.

Last month, The Atlantic reported on several music databases that are widely used in AI training, consisting of millions of tracks: “Three of the datasets I found are distributed as a list of links to songs on YouTube or Spotify. AI developers download the actual audio using tools that automate the job, some of which allow developers to bypass logins, advertisements, and mechanisms that might earn money or subscribers for creators. Such tools violate the terms of service of these platforms.

Archive link: https://archive.ph/xX3XW

    • unglueclass23@programming.devOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      2 hours ago

      Yeah it was funny to read :

      “Based on the limited nature of the customer information believed to be involved, we determined that individual notifications were not warranted under applicable privacy laws,” the Suno spokesperson added.

      But then (talking about the hacker):

      They said they also accessed Suno’s customer list, which included customers’ emails and/or phone numbers and Stripe payment details, depending on what they used to login. The hacker provided a sample of some of the customers, some of whom confirmed to 404 Media they had used their phone number to sign up for Suno and said they were never notified of a breach.

      I guess email address, phone and payment details don’t matter enough to notify people.

  • eicker@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    2
    ·
    edit-2
    2 hours ago

    If the leak is authentic, it doesn’t just expose scraped data: it exposes trust. AI companies keep asking courts to accept »fair use« while telling the public as little as possible about their training data. Transparency shouldn’t arrive through a hack. It should have been there from the start. We really need open source AI beyond open weight models.

    • The Velour Fog @lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      21 minutes ago

      Do you outsource your comments to an LLM? Got a lot of the hallmarks of AI writing here and in your previous comments.

      Edit: yeah I’m like 80% certain this is another automated LLM account. Their profile description reeks of it, and except for the first three comments, their comment length is consistent at all times, there is an overuse of colons and “it’s not X it’s Y” statements, and weird formatting choices across the board. This is pretty much a running advertisement for their AI consultant and news (?) platform.

      • eicker@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 minutes ago

        So we’re reaching the stage where sounding consistent is treated as stronger evidence than being wrong? If every structured comment is dismissed as AI, discussion gets replaced by authorship detective work. Refute the points instead of running a literary CAPTCHA on every reply. Thanks!

  • ikt@aussie.zone
    link
    fedilink
    English
    arrow-up
    6
    ·
    3 hours ago

    Wasn’t this already known? Not the hack but the scraping? From Jan 2025:

    “Earlier this year it dawned on me that very little of what generative AI companies were non-consensually scraping off the internet was uncompressed or lossless, they scraped things like YouTube and Spotify and SoundCloud to make their data sets generate AI music.

    https://musictech.com/news/music/benn-jordan-detect-ai-music/

    • unglueclass23@programming.devOP
      link
      fedilink
      English
      arrow-up
      7
      ·
      3 hours ago

      Yeah.

      The lawsuits have made clear that Suno did train on huge amounts of copyrighted works, but the hacked data shared with 404 Media sheds more light on how Suno scraped songs from the internet and where it took them from.