ShinyHunters claims it breached Udemy, one of the world’s largest online learning platforms, and is threatening to publish 1.4 million customer and instructor records unless the company pays an undisclosed amount.
The leaked dataset, confirmed by Have I Been Pwned, includes names, email addresses, physical addresses, phone numbers, employer information, and instructor payout details: PayPal accounts, cheque arrangements, and bank transfer data. “Over 1.4M records containing PII and other internal corporate data have been compromised. Pay or Leak,” the group posted on its leak site. It added that Udemy “failed to reach an agreement with us despite our incredible patience, all the chances and offers we made.” Udemy hasn’t made any public statement about the claims or what may have been exposed.
The instructor payout data is the detail that stings. ShinyHunters is specifically known for vishing, a social engineering tactic in which attackers phone targets while impersonating IT support staff to trick employees into revealing sensitive information. With full names, phone numbers, and employer information already in hand, Udemy’s instructors and customers face a credible follow-on threat: targeted voice calls from someone who already knows exactly how they get paid.
The group’s activity has accelerated recently, with breaches attributed to it involving ADT, the European Commission, Aura, and Rockstar Games, among others.
James Okafor