Udemy, Inc.

ShinyHunters listed Udemy on its 'pay or leak' extortion portal on 24 April 2026 and published the dataset before the 27 April deadline; Have I Been Pwned indexed it on 26 April. The dump contains 1.4 million unique email addresses spanning both Udemy students and Udemy instructors, with each record including name, email, phone number, home address, employer and job title. Instructor records additionally carry the payout method on file — PayPal account, bank transfer or cheque — though the underlying account numbers are not all confirmed to be present in cleartext. Reporting by CyberNews, eSecurity Planet and Bitdefender all note Udemy has not confirmed or denied the incident, and Udemy's press and policy pages carry no breach notice. ShinyHunters has run the same playbook against Hallmark, Carnival, Vercel, McGraw-Hill and Harvard in the same window; some of those campaigns went via Salesforce or third-party vendor compromise, but Udemy has not disclosed an attack vector.

ShinyHunters listed Udemy on its leak site on 24 April 2026 with a public warning and a deadline of 27 April 2026. The dataset went public ahead of that deadline and was added to Have I Been Pwned on 26 April 2026. Udemy has not described the attack chain, has not named a date of intrusion or detection, and has not issued a press release or customer notification at the time of writing. Reporting attributes the breach to ShinyHunters' general MO of vishing, infostealer-harvested credentials and MFA bypass, often via a third-party vendor or contractor account, but no specific vector has been confirmed for Udemy.

If you are a Udemy student, the stolen fields — your name, email, phone, home address, employer and job title — are a toolkit for very targeted work-themed scams. Expect: "your Udemy course access is expiring, click to renew" emails using your real name and the address you used to sign up; LinkedIn-style recruiter SMS or emails that quote your current employer and job title to push fake job listings or training-budget grants; "your manager bought you a Udemy Business licence — log in here" lures aimed at the work email you registered with; and cold calls from people pretending to be Udemy support, Udemy Business sales or a recruiter, dropping your name and employer in to sound legitimate. Don't click links in any of these, don't call back the number they give, and treat any "Udemy" message that asks for a card or password as hostile.

If you are a Udemy instructor, the bigger risk is your payout. Watch specifically for: emails or in-platform messages telling you to "update your PayPal/bank account" before your next payout, often dressed up as a tax-compliance or KYC step — these are designed to redirect future earnings; fake DMCA or content-takedown notices threatening to remove your courses unless you log in via a link; fake tax-form requests ("please complete this W-9/1099" or VAT-form equivalents) collecting government IDs; and account-takeover attempts using the email address from the leak combined with credential-stuffed passwords. Only change payout details by logging in to udemy.com directly, never via a link in a message, and turn on two-factor authentication on your instructor account if you have not already.

If you'd rather Udemy stop holding your data at all, email privacy@udemy.com and ask them to close your account and delete your personal data. You don't have to give a reason, plain email is fine even though Udemy points people to a support ticket form, and they have 30 days to confirm. Udemy has not said whether passwords were in the dump and has not asked users to reset, so as a precaution change your Udemy password — and rotate that password anywhere else you used it, since your email address is now public and is the bridge an attacker would use to try the same password elsewhere.