ShinyHunters claims Udemy breach, threatens leak of 1.4 million records

The cybercrime group ShinyHunters has claimed it breached Udemy, an online learning platform, and is threatening to release more than 1.4 million records containing personal and corporate data after alleging the company failed to meet ransom demands.

The group listed Udemy on its dark web leak site on April 24, 2026, asserting it had obtained a large dataset that includes personally identifiable information and internal company data. The attackers issued a deadline of April 27 for the company to respond, warning that failure to comply would result in a public data release and additional disruptive actions.

Days later, the group published a dataset it said belongs to Udemy, stating that negotiations had broken down despite multiple attempts to reach an agreement. The extent and authenticity of the breach have not been confirmed by the company, and it remains unclear which categories of individuals may be affected.

The exposed dataset has been partially analyzed, with 1.4 million email addresses added to the breach notification service Have I Been Pwned. The data is said to include names, physical addresses, phone numbers, employer details and instructor payout information. More than half of the email addresses had previously appeared in other data breaches.

Udemy, which provides online courses to millions of learners worldwide, has not publicly confirmed the incident or disclosed whether its systems were compromised. The platform reported approximately 77 million users in 2024, and its user base has likely grown since then.

The potential exposure raises concerns about identity theft, financial fraud and targeted phishing campaigns, particularly where corporate email addresses and professional information are involved. Such data could also be used to build detailed profiles for further cyberattacks.

The incident comes amid a broader wave of attacks attributed to ShinyHunters, which has targeted major organizations across sectors in recent weeks. The group has claimed responsibility for breaches involving companies such as Amtrak, Rockstar Games, Hims and Hers, Hallmark and Ameriprise Financial, among others. It has also released large datasets tied to retailers and service providers following failed ransom negotiations.

ShinyHunters has been associated with large-scale data theft operations, including prior campaigns targeting enterprise cloud platforms and customer databases. The group typically relies on extortion tactics, threatening public leaks of stolen data to pressure victims into payment.

Udemy recently agreed to merge with Coursera, a competing online education provider, in a move expected to create a larger combined company. The impact of the alleged breach on that transaction and on Udemy’s operations remains unclear as the situation continues to develop.