ShinyHunters Claims Major Data Breach of Udemy, Threatens to Leak 1.4M Records
On April 24, 2026, the cybercriminal group ShinyHunters announced a data breach targeting Udemy, one of the world’s largest online learning platforms, alleging the theft of over 1.4 million records containing personally identifiable information (PII) and internal corporate data. The group issued a "Pay or Leak" ultimatum, demanding a response from Udemy by April 27, 2026, or risk public exposure of the stolen data.
ShinyHunters, a financially motivated extortion group active since 2019, has built a reputation for high-profile breaches, including the 2020 theft of 200 million records from 13 companies. In 2026 alone, the group has intensified attacks on SaaS platforms and the education sector, with recent victims including Vercel, McGraw-Hill, and Harvard University (where 115,000 alumni records were exposed).
Google Threat Intelligence tracks the group under the designation UNC6240, noting its shift from traditional network exploitation to social engineering, MFA bypass, and credential harvesting. ShinyHunters often exploits third-party integrations and compromised vendor credentials, as seen in the Vercel breach, where a third-party vendor (Context.ai) served as the entry point.
The education sector remains a prime target, with ShinyHunters previously breaching India’s Unacademy, stealing over 10 million user accounts. As of publication, Udemy has not confirmed or denied the breach, and researchers continue monitoring the group’s leak site for potential data release following the deadline.
The incident underscores the group’s evolving tactics and persistent focus on high-value targets.
Source: https://cybersecuritynews.com/udemy-data-breach/
Udemy TPRM report: https://www.rankiteo.com/company/udemy
McGraw-Hill TPRM report: https://www.rankiteo.com/company/mcgraw-hill-education
Vercel TPRM report: https://www.rankiteo.com/company/vercel
Harvard University TPRM report: https://www.rankiteo.com/company/harvard-university
"id": "mcgverharude1777034314",
"linkid": "mcgraw-hill-education, vercel, harvard-university, udemy",
"type": "Breach",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1.4 million',
'industry': 'Education',
'name': 'Udemy',
'type': 'Online Learning Platform'}],
'attack_vector': ['Social Engineering',
'MFA Bypass',
'Credential Harvesting',
'Third-Party Integrations'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '1.4 million',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Internal Corporate Data']},
'date_detected': '2026-04-24',
'date_publicly_disclosed': '2026-04-24',
'description': 'On April 24, 2026, the cybercriminal group ShinyHunters '
'announced a data breach targeting Udemy, one of the world’s '
'largest online learning platforms, alleging the theft of over '
'1.4 million records containing personally identifiable '
'information (PII) and internal corporate data. The group '
"issued a 'Pay or Leak' ultimatum, demanding a response from "
'Udemy by April 27, 2026, or risk public exposure of the '
'stolen data.',
'impact': {'data_compromised': '1.4 million records',
'identity_theft_risk': 'High'},
'initial_access_broker': {'entry_point': 'Third-party vendor (Context.ai)'},
'investigation_status': 'Ongoing',
'motivation': 'Financial Extortion',
'references': [{'source': 'Google Threat Intelligence'}],
'threat_actor': 'ShinyHunters (UNC6240)',
'title': 'ShinyHunters Claims Major Data Breach of Udemy, Threatens to Leak '
'1.4M Records',
'type': 'Data Breach',
'vulnerability_exploited': 'Compromised vendor credentials'}