Cyber Incident Victim: Mediaworks Hungary
Date:
Apr 2026
Location:
Hungary
Summary
Threat actors claimed to have accessed more than one million Udemy user records and threatened to release the data unless a ransom was paid, later releasing a dataset that included names, addresses, phone numbers, employer details and payout information for instructors. Separately, a government cybersecurity agency added seven actively exploited vulnerabilities to its known exploited vulnerabilities list, highlighting four Microsoft flaws and two Adobe flaws that required immediate remediation by federal agencies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On24 April 2026 a ShinyHunters extortion claim was first reported, alleging that the group had placed Udemy on its dark‑web victim site and threatened to leak more than 1.4 million records belonging to the online learning platform. Cybernews reported the claim on the same day, noting that Udemy had not confirmed the breach at the time of publication and that the disclosure remained claim‑based. The ShinyHunters group subsequently released a dataset containing the alleged records. Following the release, the Have I Been Pwned service added 1.4 million unique email addresses to its database, linking those addresses to Udemy customers and instructors.
The exposed data, as reported by Cybernews and Have I Been Pwned, reportedly included names, physical addresses, telephone numbers, employer details and, for instructors, payout methods such as PayPal, check and bank transfer. The disclosure of this personal information raised concerns about potential identity theft, fraud and unwanted contact for the individuals whose data appeared in the leak. No further specifics about the volume of affected accounts beyond the 1.4 million email addresses were provided in the source material.
In response to the public disclosure, Have I Been Pwned incorporated the leaked email addresses into its breach notification service, allowing affected individuals to check whether their information appeared in the dataset. Cybernews continued to report on the claim, reiterating Udemy’s lack of confirmation and the claim‑based nature of the allegation. The source material does not describe any internal investigation, public statement or remedial action taken by Udemy beyond the absence of a breach confirmation at the time of the initial report.
The incident thus unfolded as an unverified extortion claim that led to the publication of a dataset, the aggregation of associated email addresses in a breach‑notification service and the exposure of personal and financial details, with the only confirmed response actions being the inclusion of the data in Have I Been Pwned and the ongoing reporting by Cybernews.