The notorious cybercriminal group ShinyHunters has claimed responsibility for a significant data breach targeting Udemy, one of the world’s largest online learning and course delivery platforms with more than 73 million registered learners. The group alleges it has obtained over 1.4 million records containing personally identifiable information (PII) and internal corporate data, and has issued a “Pay or Leak” ultimatum that reached its final deadline on April 27, 2026.
The Breach Claim
ShinyHunters first surfaced the Udemy breach claim on April 24, 2026, posting a warning on their dark web data leak site demanding payment from the company in exchange for not publicly releasing the stolen data. The group set a firm deadline of April 27, 2026 — the date coinciding with today’s publication — for Udemy to respond to their extortion demand.
According to the group’s claims, the exfiltrated records include:
- Full names and email addresses of Udemy users
- Hashed passwords and account creation metadata
- Course enrollment history and purchase records
- Internal corporate data and configuration details
As of the time of writing, Udemy has not issued an official public statement confirming or denying the breach. The incident is classified as pending verification, and cybersecurity researchers are actively monitoring ShinyHunters’ leak site for any data publication following the expiration of the deadline.
Who Are ShinyHunters?
ShinyHunters is one of the most prolific cybercriminal groups in recent years, with a track record of high-profile breaches spanning multiple industries. The group has previously claimed responsibility for breaches at AT&T (70 million records), Ticketmaster (560 million records), Santander Bank, ADT, and numerous other major organizations. Their typical modus operandi involves exploiting misconfigured cloud infrastructure — particularly platforms lacking mandatory multi-factor authentication — to exfiltrate large volumes of user data, which is then used as leverage in extortion schemes or sold on dark web forums.
ShinyHunters has also been linked to a broader wave of Salesforce-based credential attacks in 2026, exploiting OAuth token abuse and improperly secured API integrations to pivot across enterprise cloud environments.
Impact on Udemy Users
If the breach claim is verified, the impact on Udemy’s user base could be significant. The platform hosts learners from enterprise corporate training programs, professional certification seekers, and individual skill development users worldwide. A breach of this scale could expose users to:
- Credential stuffing attacks: If password hashes are cracked, attackers could attempt to reuse credentials across other platforms where users have employed the same password
- Targeted phishing campaigns: Email addresses combined with course enrollment data enable highly convincing spear-phishing attacks impersonating Udemy, instructors, or certification bodies
- Identity fraud: PII combinations could be used for account takeover on other services or identity verification bypass
What Udemy Users Should Do Now
Pending official confirmation, Udemy users are strongly encouraged to take the following precautionary steps immediately:
- Change your Udemy password and ensure it is unique — not shared with any other online account
- Enable two-factor authentication on your Udemy account if not already active
- Be alert to phishing emails that reference Udemy, your course history, or certifications, as attackers may use breach data to craft convincing lures
- Monitor your email address for unexpected account creation notices or password reset requests from other services, which may indicate credential stuffing attempts
- Use a password manager to generate and store unique, strong passwords for each online service
The Growing Threat of Extortion-Based Breaches
The Udemy incident is the latest in an accelerating trend of “Pay or Leak” extortion attacks, where threat actors do not merely encrypt data for ransom but instead threaten public exposure of sensitive records to amplify pressure on victim organizations. This model is particularly effective because the threat of regulatory fines and reputational damage often exceeds the cost of the demanded ransom, giving threat actors significant leverage even against security-mature organizations.
Secure Bulletin will continue to monitor this developing situation and will update this report if Udemy issues an official statement or if the data is confirmed to have been published.
Source: Cyber Security News