Udemy Data Leak: 1.4M Records - Emails & Payouts Exposed (2026)
In April 2026, online training company Udemy was the victim of a “pay or leak” extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors. The data also included names, physical a...
Overview
On April 24, 2026, the online training platform Udemy disclosed a data breach affecting 1,401,259 user accounts. The breach was perpetrated by the ShinyHunters group, who initially attempted a “pay or leak” extortion scheme. When the payment demand was not met, the stolen data was publicly leaked. The exposed data includes email addresses, names, phone numbers, physical addresses, and employers. The breach was reported to Have I Been Pwned, and affected users can verify their exposure at haveibeenpwned.com.
What Was Exposed
The leaked dataset contains a combination of personally identifiable information (PII) that can be used for multiple types of fraud:
- Email Addresses: Direct vector for phishing attacks, especially spear-phishing targeting Udemy instructors based on disclosed employer details.
- Names: Enables personalized social engineering attempts.
- Phone Numbers: Opens the door to SMS-based phishing (smishing) and SIM-swapping attacks.
- Physical Addresses: Can be used for identity theft, fake account creation, or physical mail scams.
- Employers: A high-risk data point. Attackers can craft convincing phishing emails referencing specific companies (e.g., “Your Udemy corporate training account needs verification”).
How the Breach Happened
The ShinyHunters group, known for targeting online services and educational platforms, exploited a vulnerability or misconfiguration in Udemy’s systems to exfiltrate this data. The breach followed a common pattern: attackers accessed the database, downloaded user records, and then demanded a ransom to delete the data. When Udemy did not pay, the group publicly leaked the full dataset. This is the same group responsible for similar attacks on other ed-tech platforms, as reported in cybersecurity news. No specific CVE IDs have been linked to this breach yet.
Identity Theft Risks
The combination of name, physical address, employer, and email address creates a high risk for identity theft. An attacker possessing all four can:
- Open fraudulent accounts using your details for verification.
- Submit false tax returns if they obtain additional financial data from other breaches.
- Target your employer using your corporate email (if disclosed) in Business Email Compromise (BEC) schemes.
Given the exposure of phone numbers, there is also a elevated risk of SIM-swapping, where attackers convince your mobile carrier to transfer your number to their device, bypassing two-factor authentication (2FA) for other accounts.
What to Do Right Now
-
Check Have I Been Pwned: Visit haveibeenpwned.com and search your email address. If this breach appears, assume your data is public.
-
Watch for Phishing: Expect scam emails that appear to come from Udemy, referencing your employer or recent courses. Do not click links or download attachments from suspicious messages.
-
Freeze Your Credit: Contact Equifax, Experian, and TransUnion to place a credit freeze. This prevents attackers from opening new accounts in your name using your exposed PII.
-
Enable 2FA Everywhere: Use an authenticator app (not SMS) for critical accounts like email, banking, and social media. Given your phone number is leaked, SMS-based 2FA is vulnerable.
-
Update Your Udemy Password: Even if the breach is from 2026, change your password now using a unique, complex passphrase. Do not reuse this password elsewhere.
Security Insight
This breach reveals a pattern of inadequate security controls at ed-tech companies relative to the sensitivity of data they hold. ShinyHunters specifically targets these platforms because they know many users reuse credentials across both professional and personal accounts. The inclusion of employer data is particularly dangerous-it turns a standard credential dump into a targeted corporate phishing campaign. The fact that the data was leaked only after an extortion attempt also suggests Udemy may have lacked proper exfiltration detection or failed to test offline backups before restoring services.
Further Reading
Investigate Breaches Safely with NordVPN
Researching exposed data, paste sites, or threat actor infrastructure? Route your OSINT traffic through a VPN to avoid attribution and keep your investigation IP separate from your corporate network.
Get NordVPN for ResearchAffiliate link — we may earn a commission at no extra cost to you.
Never miss a data breach report
Get real-time security alerts delivered to your preferred platform.
Related Breach Reports
In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign . The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure, ...
In May 2026, the HVAC/R wholesale distributor Baker Distributing Company was added to the ShinyHunters data extortion group's "pay or leak" site . In early June, the group publicly published data they claimed had been obtained from Baker's SharePoint and Salesforce infrastructure including 103k uniq...
In May 2026, the corporate travel management company BCD Travel was claimed as a victim of the ShinyHunters "pay or leak" extortion campaign . Data allegedly obtained from BCD was subsequently published publicly in early June and contained 396k unique email addresses. Other exposed data included nam...
In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign . The group later published the data, which exposed 4.9M unique email addresses alo...