The cybercriminal group ShinyHunters has claimed responsibility for a potential data breach involving online learning platform Udemy, alleging it has obtained more than 1.4 million records containing sensitive information. The claim remains unverified, and no official confirmation has been issued by the company.
According to the threat post published on the group’s dark web leak site, the attackers say they exfiltrated personally identifiable information along with internal corporate data. The group issued a “pay or leak” ultimatum, warning that the data could be released publicly if its demands are not met within a set deadline.
The message, posted on April 24, 2026, includes a deadline of April 27 for Udemy to respond. The threat follows a pattern commonly associated with ShinyHunters, which has built a reputation around extortion campaigns targeting large organizations.
At the time of the claim, the group had not provided supporting evidence, such as data samples or screenshots that would typically help validate the breach. The absence of proof leaves uncertainty around the scale and legitimacy of the incident, although similar claims by the group in the past have sometimes preceded confirmed disclosures.
ShinyHunters is known for targeting SaaS platforms and large enterprises, often combining data theft with extortion tactics. The group has previously claimed responsibility for breaches affecting major organizations and has been linked to incidents involving millions of exposed records across multiple sectors.
The alleged Udemy incident reflects a broader trend in cybercrime operations, where attackers prioritize data exfiltration over system disruption. By focusing on sensitive datasets such as user information and internal documents, threat actors can leverage reputational damage and regulatory risk to pressure organizations into paying ransoms.
If confirmed, the breach could have implications for Udemy’s global user base, which includes millions of learners and instructors. Exposure of personal data could increase the risk of phishing attacks, identity theft, and other forms of targeted fraud.
As of now, the situation remains in the claim stage, with no independent verification or detailed technical analysis available. Security experts typically advise caution in interpreting such announcements until additional evidence or official statements confirm the scope and impact of the alleged breach.