Check Udemy Breach
We provide comprehensive dark web monitoring solutions to safeguard businesses, leveraging advanced technologies and intelligence-driven approaches to detect and mitigate risks associated with compromised data.
About the Udemy Breach
In April 2026, ShinyHunters (aka Scattered Lapsus) issued a "Pay or Leak" extortion demand against Udemy, claiming to have stolen 1.4 million records containing PII and internal corporate data. Udemy made no official statement. The April 27 deadline passed without payment; The data was publicly leaked on April 26, 2026. The breach exposed both customers and instructors, including payment method details such as PayPal accounts and bank transfer info.
April 2026
1.4M accounts
PII, Payments, Employer
What Should You Do?
- Reset your Udemy password using a strong, unique password not used elsewhere
- Check if you've reused this password on other platforms and change them immediately
- Enable two-factor authentication (2FA) on Udemy and linked payment accounts
- Consider using a password manager to generate and store unique passwords
- Stay alert for targeted phishing — attackers have your name, employer, phone, and payment info
- Instructors: review and update PayPal and bank transfer payout details urgently
Threat Actor
ShinyHunters (aka Scattered Lapsus) — Financially motivated, active since ~2019. Uses vishing, infostealer credentials, and MFA bypass. Known to harass executives and contact media for maximum pressure.
Incident Timeline
Apr 24 — Demand posted; 72-hr deadline set
Apr 24–27 — Udemy issues no statement
Apr 26 — Data publicly available
Apr 27 — Deadline passes; 1.4M records fully exposed
Data Exposed
Broader Context
Udemy's ongoing merger with Coursera adds risk during the transition period. ShinyHunters also hit McGraw-Hill (13.5M records), Hims & Hers, Harvard, and Vercel in 2026 — all using identity-based tactics via third-party vendors.