Udemy faces 1.4 million user breach, notorious hackers claim it

The online learning platform appears to be another victim of threat group ShinyHunters.

What happened

Udemy, one of the biggest online learning platforms, has likely been the victim of a ransomware attack carried out by ShinyHunters. Although Udemy has not yet confirmed the breach, ShinyHunters posted a demand on their leak site on April 24th, claiming to have approximately 1.4 million user records. According to Cybernews, the malicious group stated, “Over 1.4M records containing PII and other internal corporate data have been compromised. Pay or leak.”

Going deeper

ShinyHunters stated that there were giving Udemy until April 27th to respond, or else the group would leak the data and create “several annoying (digital) problems.” The group threatened, “Make the right decision, don’t be the next headline,” pointing out the negative publicity and public trust issues that can be created when a company’s data is leaked. Currently, no data has been published, making it possible that ShinyHunters could be bluffing.

In the know

ShinyHunters is quickly making a name for themselves among data threat groups. The group, also known as Scattered Lapsus, took credit for a data breach against McGraw Hill early this month. That breach resulted in the records of 13.5 million accounts being leaked. Blame for that data breach was contested, with McGraw Hill saying the breach was the result of an issue with Salesforce, while Salesforce denied the claim. ShinyHunters also recently took responsibility for a data breach against healthcare treatment providers Hims & Hers. The threat group seems to be financially motivated, targeting educational organizations, healthcare companies, and a smattering of other industries. The group is known for going to extremes to receive payment, like harassing executives and their families, and contacting journalists and regulators for maximum negative impact. While it’s unclear where the group originated, members seem to be largely English-speaking.

The big picture

Udemy has recently agreed to merge with Coursera, another online learning platform, to form a single, larger company. A data breach at this time likely spells particular trouble, as both organizations are going through a transition period, with an expected close on the deal taking place in the later half of 2025.

Data breaches at educational institutions can be damaging in similar ways to breaches that take place at healthcare organizations. Breaches at companies like Udemy and McGraw Hill can result in financial data exposure, contact information being leaked, and more. Once this data is available on the dark web, it may be used for identity theft or other scams.

Like healthcare organizations, educational institutions have an obligation to keep user data secure. With data breaches continuing to climb, organizations should take advantage of the best tools and systems available, like Paubox’s email suite and email API, which are constantly improving to keep up with evolving trends. Paubox has never been breached, and in a world where breaches occur almost daily, most organizations can’t afford to be the next victim.

FAQs

Will Udemy pay the ransom?

Currently, Udemy has not confirmed or acknowledged ShinyHunters claims, but the threat groups previous breaches make it likely that they aren’t bluffing. Regardless, it’s unwise to pay threat actors, because there is no real guarantee that the data will be deleted or returned.

Do data leaks guarantee the data will be used for scams?

No, while it’s possible the data may be sold or leaked, it may also enter the dark web with no other consequences. Having data on the dark web does not inherently mean an individual will be hacked or scammed, but it does greatly increase the risk.