Last updated 1 month ago
Udemy, an online training company headquartered in the United States, suffered a data breach in April 2026 following a 'pay or leak' extortion attempt by the ShinyHunters group. The breach was publicly disclosed on May 3, 2026, after the stolen data was leaked. The incident exposed 1,401,259 unique email addresses belonging to customers and instructors.
The attack involved unauthorized access to Udemy's systems, with ShinyHunters exfiltrating a wide range of data including names, physical addresses, phone numbers, employer information, and instructor payout methods such as PayPal, cheque, and bank transfer details. The threat actor then demanded payment to prevent public release, and upon refusal, leaked the data publicly.
No further post-incident details are available in the article regarding regulatory actions, litigation, ransom payment, or remediation milestones.
Extortion attempt by ShinyHunters group; data leaked publicly after refusal to pay
Udemy's breach underscores the critical need for robust access controls and data minimization practices, particularly for sensitive financial payout information. The exposure of instructor payout methods suggests insufficient segmentation and encryption of high-value data stores. Organizations in the education sector should prioritize regular security audits and implement strict data retention policies to limit the blast radius of such extortion-driven attacks.
Sign in to join the discussion.
Company
Industry
Location
Discovered
Disclosed
Records Affected
Attack Vector
Threat Actor
Continent
Country
Industry
Attack Vector
Threat Actor