The ShinyHunters extortion group claims to have breached Udemy’s systems, stealing 1.4 million records containing PII and internal corporate data.
The notorious cybercriminal group ShinyHunters has claimed responsibility for a major data breach targeting Udemy, one of the world’s largest online learning platforms, alleging the compromise of over 1.4 million records containing personally identifiable information and internal corporate data. The claim was first observed on April 24, 2026, when ShinyHunters posted a Pay or Leak warning on their data leak site, setting a final deadline of April 27, 2026, for Udemy to respond.
ShinyHunters is a financially motivated extortion group believed to have formed in 2019, known for their Pay or Leak model. The group first gained notoriety in 2020 claiming the theft of over 200 million records from more than 13 companies. In 2026, ShinyHunters has significantly escalated its campaign targeting SaaS platforms and the education sector, with prior victims including Vercel, McGraw-Hill, and Harvard University (approximately 115,000 alumni records exposed in February).
Google Threat Intelligence has been actively tracking the group’s expanding SaaS-focused data theft operations. ShinyHunters has pivoted in recent years from traditional network exploitation toward social engineering and identity-layer attacks including vishing, MFA bypass, and credential harvesting via infostealers. Their campaigns frequently leverage compromised SaaS platforms, third-party integrations, and stolen contractor credentials to bypass perimeter defenses.
As of publication, Udemy has not issued an official statement confirming or denying the breach. Organizations using Udemy are advised to monitor for suspicious activity, reset credentials, and enable multi-factor authentication as a precautionary measure.
Source: Cyber Security News — Udemy Data Breach: ShinyHunters Claims Compromise of 1.4 Million User
