ShinyHunters breach Udemy, threatens to leak 1.4m stolen records

The notorious cybercrime syndicate ShinyHunters has listed the e-learning giant Udemy on its dark web extortion site, claiming to have exfiltrated over 1.4 million records containing sensitive personal and corporate data. On April 24, 2026, the group issued a "final warning" to the platform, setting a deadline of April 27, 2026, for Udemy to negotiate before the stolen information is publicly released.

The threat, posted with the group's signature "Pay or Leak" ultimatum, warns the company to "make the right decision" to avoid becoming the next major headline.

Extent of the alleged breach

While Udemy has not yet officially confirmed the compromise, security researchers monitoring the leak site report that the haul allegedly includes:

• Personally Identifiable Information (PII): Names, email addresses, and account details of learners and instructors.

• Corporate data: Internal documents and data related to Udemy’s business-to-business (B2B) training operations.

Experts warn that because Udemy is used for career-building, the data could be highly valuable for targeted phishing and social engineering attacks against specific corporate sectors.

A pattern of SaaS and education targeting

The Udemy incident is part of an aggressive 2026 campaign by ShinyHunters (tracked by Google Threat Intelligence as UNC6240) focusing on SaaS platforms and educational institutions. The group has already claimed high-profile victims this year, including:

• Harvard University: 115,000 alumni records exposed in February.

• Vercel: Compromised via a third-party integration (Context.ai).

• McGraw-Hill: Data theft involving academic resources and user information.

Researchers at Obsidian Security have noted that ShinyHunters has pivoted away from traditional network exploits, instead favoring identity-layer attacks. Their 2026 tactics include sophisticated voice phishing (vishing), MFA bypass, and the use of infostealer malware to hijack legitimate employee or contractor credentials.

Recommended Actions

• Credential reset: Users should proactively change their Udemy passwords and any identical passwords used on other sites.

• Enable MFA: Ensure Multi-Factor Authentication is active on all accounts, preferably using hardware keys or authenticator apps rather than SMS.

• Monitor for phishing: Be highly skeptical of any unsolicited emails or calls claiming to be from Udemy, HR departments, or educational services.

Udemy is currently investigating the claims. Security teams are advised to monitor the April 27 deadline closely for the potential release of sample data that could confirm the breach's legitimacy.