Udemy Data Breach: ShinyHunters Claims Allegedly Compromise

The notorious cybercriminal group ShinyHunters has claimed responsibility for a significant data breach impacting Udemy, Inc. (udemy.com), one of the world’s largest online learning platforms. The group alleges the compromise of over 1.4 million records, reportedly containing personally identifiable information (PII) and internal corporate data.

The claim was first observed on April 24, 2026, when ShinyHunters posted a “Pay or Leak” warning on their data leak site, setting a final deadline of April 27, 2026, for Udemy to respond or face public exposure of the stolen data.

The threat message warns: “Make the right decision, don’t be the next headline,” a hallmark extortion tactic consistent with the group’s established modus operandi.

Udemy Data Breach

ShinyHunters is a financially motivated, black-hat extortion group believed to have formed in 2019, building a well-documented reputation around the “Pay or Leak” model, exfiltrating sensitive data, threatening victims, and either selling or publicly releasing data if ransoms are not paid.

The group first gained widespread notoriety in 2020, when they claimed the theft of over 200 million records from more than 13 companies.

In 2026 alone, ShinyHunters has significantly escalated its campaign targeting SaaS platforms and the education sector. Prior victims this year include Vercel, McGraw-Hill, and, earlier in February, Harvard University, where approximately 115,000 sensitive alumni records were exposed.

Google Threat Intelligence has been actively tracking the group’s expanding SaaS-focused data theft operations, attributing extortion activity to affiliated cluster UNC6240.

ShinyHunters has pivoted in recent years from traditional network exploitation toward social engineering and identity-layer attacks, including vishing (voice phishing), MFA bypass, and credential harvesting via infostealers.

Their campaigns frequently leverage compromised SaaS platforms, third-party integrations, and stolen contractor credentials to bypass perimeter defenses, as demonstrated in the Vercel breach, where a third-party vendor (Context.ai) was used as the entry point.

The education sector remains a high-value target for ShinyHunters, who previously breached India’s Unacademy platform, stealing over 10 million user accounts.

As of the time of publication, Udemy has not issued an official statement confirming or denying the breach. The incident remains under pending verification, and cybersecurity researchers continue to monitor the group’s leak site for data publication following the April 27, 2026, deadline.

Organizations using Udemy for employee training or holding active accounts are advised to monitor for suspicious activity, reset credentials, and enable multi-factor authentication as a precautionary measure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.