ShinyHunters Claims Udemy Data Breach of 1.4M Records

ShinyHunters is a financially motivated extortion group active since 2019, known for its “Pay or Leak” model. The gang has previously hit SaaS providers and education platforms, including Vercel, McGraw‑Hill, Harvard University and India’s Unacademy. Google Threat Intelligence tracks the activity under cluster UNC6240 and notes a shift toward social engineering, vishing, MFA bypass and credential‑stealing infostealers.

On April 24, 2026, ShinyHunters posted a warning on its leak site stating it had compromised more than 1.4 million Udemy records. The message set a final deadline of April 27, 2026 for Udemy to engage, threatening to publish the data if no response is received. The note included the quote: “Make the right decision, don’t be the next headline.” Udemy has not issued an official confirmation or denial as of publication.

If the claim is verified, the exposed data could include names, email addresses, course histories and internal corporate information, increasing risk of credential stuffing and targeted phishing for Udemy users and business customers. The incident highlights the education sector’s continued attractiveness to financially motivated actors exploiting third‑party SaaS integrations and stolen contractor credentials.

Organizations using Udemy should immediately reset passwords for associated accounts and enforce multi‑factor authentication. Security teams must monitor for anomalous login attempts and phishing or vishing attempts that reference Udemy or course enrollment. Review and limit third‑party SaaS integrations that connect to Udemy, applying least‑privilege access. Deploy detection rules for known infostealer behaviors (MITRE ATT&CK T1056.001) and for credential‑access techniques such as T1078.004 (Valid Accounts: Cloud Accounts) and T1566.002 (Phishing: Voice Phishing). Ensure endpoint detection and response tools are tuned to flag suspicious PowerShell or script execution (T1059.001) and unusual web protocol traffic (T1071.001).