The cybercriminal group ShinyHunters has claimed responsibility for breaching Udemy, one of the world’s largest online learning platforms, allegedly stealing over 1.4 million user records containing personal information and internal corporate data.
The group posted a “Pay or Leak” warning on their data leak site on April 24, 2026, giving Udemy until April 27 to respond or face public exposure of the stolen data. The threat message warns: “Make the right decision, don’t be the next headline,” a signature extortion tactic the group regularly uses.
This incident highlights the growing threat to educational platforms and SaaS companies, which store massive amounts of sensitive user data but often lack the robust security infrastructure of traditional enterprise targets. The timing is particularly concerning as millions of professionals rely on platforms like Udemy for skill development and corporate training programs.
ShinyHunters is a financially motivated extortion group that formed in 2019 and built its reputation around the “Pay or Leak” model. The group steals sensitive data, threatens victims with exposure, and either sells the information or releases it publicly if ransoms go unpaid. They first gained widespread attention in 2020 when they claimed theft of over 200 million records from more than 13 companies.
The group has significantly escalated its activities in 2026, focusing heavily on SaaS platforms and educational institutions. Their victims this year include:
- Vercel, a web development platform
- McGraw-Hill, the educational publisher
- Harvard University, where approximately 115,000 alumni records were exposed in February
Google Threat Intelligence has been tracking the group’s expanding operations, attributing their extortion activities to an affiliated cluster called UNC6240. The group has evolved from traditional network attacks to more sophisticated social engineering and identity-layer attacks, including voice phishing, multi-factor authentication bypass, and credential harvesting through information-stealing malware.
Their recent campaigns frequently exploit compromised SaaS platforms, third-party integrations, and stolen contractor credentials to bypass security defenses. In the Vercel breach, for example, they used a third-party vendor called Context.ai as their entry point rather than attacking Vercel directly.
The education sector has become a particularly attractive target for ShinyHunters. Educational institutions often store vast amounts of personal data from students, faculty, and alumni, while typically operating with tighter budgets for cybersecurity compared to private corporations. The group previously breached India’s Unacademy platform, stealing over 10 million user accounts.
As of publication, Udemy has not issued an official statement confirming or denying the breach. The company’s silence is not unusual in these situations, as organizations often prefer to investigate claims thoroughly before making public statements that could impact their stock price or user confidence.
The incident remains under verification by cybersecurity researchers, who continue monitoring the group’s leak site for potential data publication after the April 27 deadline passes. If the breach is confirmed, it would represent one of the largest attacks on an online learning platform in recent years.
Organizations that use Udemy for employee training programs should take immediate precautions. Security experts recommend monitoring accounts for suspicious activity, resetting passwords, and enabling multi-factor authentication. Companies should also review what employee data might be stored on the platform and prepare incident response plans in case sensitive information becomes public.
The Udemy incident underscores the broader challenge facing SaaS platforms as they become increasingly central to business operations while remaining attractive targets for cybercriminals seeking valuable personal and corporate data.