ShinyHunters Claims Udemy Breach and Threatens to Leak 1.4 Million Records
The ShinyHunters extortion group claimed it breached online learning platform Udemy and stole more than 1.4 million user records, according to multiple reports. The attackers allegedly said the haul includes personally identifiable information and internal corporate files, raising concerns that affected users could face phishing, identity fraud, and other follow-on abuse if the data is authentic.
The group reportedly threatened to publish the stolen information unless Udemy entered negotiations, with reporting indicating a leak deadline of April 27. Researchers and media outlets noted that the exact contents of the dataset had not been independently verified because no sample had been publicly released at the time, but the claim placed Udemy among a growing list of organizations publicly named by ShinyHunters in recent extortion activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
ShinyHunters claims Udemy breach and threatens data leak
The ShinyHunters extortion group claimed it had compromised Udemy and stolen more than 1.4 million records, allegedly including personally identifiable information and internal corporate files. The group reportedly warned that it would publish the data unless Udemy negotiated by April 27.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Udemy allegedly breached by ShinyHunters, data leak warned | brief | SC Media
linkedin.com
Open sourceUdemy faces 1.4 million user breach, notorious hackers claim it
paubox.com
Open sourceUdemy faces extortion threat from ShinyHunters | Cybernews
cybernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s **Mariner Society** loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained **8.7 million records** and **7.5 million unique email addresses**, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified. The same group also posted a **"Pay or Leak"** notice claiming it had compromised Udemy and stolen more than **1.4 million user records** along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
May 6, 2026
ShinyHunters Publishes Stolen Data From Bumble, Match Group, and Dozens of Firms
ShinyHunters has published a broad trove of allegedly stolen data affecting more than 40 organizations across retail, healthcare, hospitality, insurance, and consumer services, with reporting tying the leak campaign to victims including **Bumble**, **Match Group**, **Mytheresa**, **Zara**, **Carnival**, and **7-Eleven**. Researchers said the exposed material includes personally identifiable information, customer and transaction records, internal corporate files, and multi-terabyte datasets; one of the largest alleged exposures involved **Medtronic**, where roughly **9 million records** were reportedly listed before that entry was later removed from the leak site. The campaign reflects ShinyHunters' continued shift from ransomware-style encryption to **data theft and extortion**, with the group allegedly threatening to keep victim data available indefinitely on criminal platforms. Separate reports said the actors claimed to have stolen about **10 million records** from dating-app companies, while researchers also linked leaked **Bumble** data to the same operation after an earlier claim that roughly **30GB** had been taken from the company. The disclosures echo a wider criminal pattern in which stolen sensitive data is leaked to pressure victims after exfiltration, including in healthcare breaches such as the Change Healthcare incident.
Jun 7, 2026
ShinyHunters Leaks Donor and Alumni Data Stolen from Harvard and UPenn
**ShinyHunters** published datasets it claims were stolen during prior breaches at **Harvard University** and the **University of Pennsylvania (UPenn)**, posting what it says are **over one million records from each university** to its leak site used for extortion. Reporting indicates the exposed information relates to the schools’ development/alumni functions; TechCrunch said it verified portions of the data by corroborating details with alumni and public records (including matching against student ID numbers). Both universities attributed the intrusions to **social engineering** targeting staff supporting alumni and fundraising operations. UPenn previously confirmed unauthorized access to “a select group” of systems tied to development and alumni activities and said attackers also used official university email addresses to message alumni about the incident. Harvard reported its Alumni Affairs and Development environment was accessed following a **phone/voice-phishing** attack, and its incident FAQ described impacted data as including contact details (email, phone, home/business addresses), event attendance, donation details, and other biographical and fundraising-related information; public reporting noted uncertainty about whether affected individuals would receive individual notifications under applicable state requirements.
Mar 21, 2026