Udemy

On April 24, 2026, ShinyHunters posted a "Pay or Leak" warning on their data leak site, claiming to have compromised Udemy's Salesforce environment and stolen 2.3GB of data containing over 1.4 million records. They gave Udemy until April 27 to respond. When the deadline passed without payment, ShinyHunters released the full dataset.

1.4 million unique email addresses of customers and instructors. Names. Physical addresses. Phone numbers. Employer information. And critically: instructor payout methods—PayPal account details, bank transfer information, and check payment records.

Udemy isn't just a learning platform. It's a marketplace where instructors earn money from course sales. The payout data reveals how thousands of content creators receive their income. That's financial targeting information—the kind that enables wire fraud, account takeover, and payment redirection attacks.

Two groups: students and instructors. Students face the usual credential stuffing and phishing risks. But instructors face something more specific: attackers now know how they get paid. PayPal accounts can be targeted for takeover. Bank transfer details enable payment redirection fraud. Check recipients can expect convincing phishing attempts.

Udemy has over 70 million students and 75,000 instructors. Even if the breach only captured a fraction of that user base, 1.4 million records represents a significant portion of active, paying customers and revenue-generating creators.

Running a successful online learning marketplace. Udemy processes millions of transactions, manages instructor payouts across multiple payment methods, and serves learners in 180+ countries. That scale requires enterprise infrastructure—CRM systems to manage relationships, payment systems to handle disbursements, support systems to handle inquiries.

ShinyHunters claimed the data came from Salesforce. The same attack pattern they've used against 7-Eleven, Zara, and dozens of other organizations. Udemy likely believed their Salesforce instance was a secure place to manage instructor relationships and payment information. It was—until it wasn't.

Udemy has not made an official statement about the breach or what data was exposed. That silence is telling. Either they're still determining the scope, or they're hoping the story fades without public acknowledgment.

But Have I Been Pwned has already indexed the data. 1.4 million email addresses are now searchable. The question isn't whether the breach happened—it's whether Udemy knew that instructor payment methods were stored alongside contact information in a system accessible through a single Salesforce compromise.

ShinyHunters has made education a priority target. They previously breached India's Unacademy platform, stealing over 10 million user accounts. In 2026, they've hit McGraw-Hill, Harvard University, and now Udemy. The education sector's combination of large user bases, payment data, and historically underfunded security makes it attractive.

For Udemy, the breach creates a trust problem with instructors—the people who generate the platform's content and revenue. If creators don't trust that their payout information is secure, they may move to competing platforms. The breach cost isn't just notification letters; it's potential instructor attrition.