- Alleged breach size: ~1.4 million user records
- Threat type: “Pay or leak” extortion campaign
- Attack date: April 24, 2026
- Target: Udemy (global SaaS platform)
A new cyber-incident has emerged. Hacking group Shiny Hunters claims that it has hacked Udemy, and threatens to release more than 1.4 million user records including personally identifiable information (PII) and internal company data. There is no confirmation whether the claim by the hackers was valid. But the hackers have already put up Udemy on its “leak” website and has sent out a message saying “we will pay you, we will leak you”.
What happened?
Shiny Hunters claimed that it published the breach on April 24, 2026. According to the claim by Shiny Hunters, they got access to all users’ and companies’ sensitive data. The hackers also gave Udemy a deadline for responding before making the breach information available to everyone.
This is similar to what many other groups have done:
- breach
- dark web posting of breach details
- deadline
- pressure to make payments
👉 It’s different from classic ransomware. 👉 It’s pure data theft. Plus they get to use your reputation to extort money.
How does this affect us? (beyond Udemy)
This is not just another individual incident — it shows a bigger picture of how bad things are getting for threat actors trying to attack modern digital environments. Shiny Hunters has made a name for itself by hacking SaaS platforms, educational entities and enterprise environments. Their goal is to steal large amounts of sensitive information which can then be used to extort money. Other reported or confirmed victims of Shiny Hunters include Vercel, McGraw Hill, and Harvard University.
All of these incidents show that threat actors are no longer random. Instead, they are intentional. They’re going after cloud based systems that have lots of user ID’s and credentials that allow them to move throughout a network. These types of attacks in 2026 demonstrate a big change. Attackers are starting to go after identity layers and SaaS platforms as a first step. They’re using those as a way to get into a system, instead of looking at traditional ways to break-in.
The real danger: identity-based attacks
Traditional methods of breaking into computer systems are no longer common among today’s threat actors.
Threat actors are now using:
- stolen login credentials
- SaaS integration vulnerabilities
- moving around within a system
Shiny Hunters uses a very simple playbook:
- “log in, do not break in.”
Their goals include to gain access to:
- your access token
- login credentials
- identity systems
👉 So these types of attacks are able to blend in with regular usage of a system.
Why SaaS platforms are the new battleground
As more organizations start using numerous SaaS applications, so too does the attack surface expand. With sensitive data being stored across many cloud-based systems, there is less centralization of data and more fragmentation of the data. And since identity management provides access to nearly every system in an organization’s digital ecosystem, the number of potential entry points grows exponentially. Additionally, as many organizations now store sensitive data across multiple cloud providers, there is much less visibility and thus greater risk for each organization. Therefore, when one account is compromised, it can provide an attacker with an entry point into the entire digital ecosystem of an organization.
The “pay or leak” model
Shiny Hunters isn’t simply taking your data — they’re weaponizing it.
Here is how most attacks work:
- take large sets of data
- post evidence on the dark web
- set time frame for response
- pressure victim to pay
if victim doesn’t pay:
👉 the data will be released publicly to anyone willing to download it
👉 can be used for phishing scams
👉 can be used for identity theft
👉 can be used for follow-up attacks
Large datasets typically contain:
- email addresses
- phone numbers
- files related to your company internally
👉 Everything needed to carry out large scale cyber crimes.
Investment angle: cybersecurity shift
The incident above is consistent with the major structural shift happening in cybersecurity. Organizations historically focused on perimeter security, firewalls and end-point protection. Now as attacks continue to progress deeper into cloud environments; the emphasis is on identity security, access control and behavior monitoring. In this new world view, cybersecurity goes far beyond protecting systems — it’s about who is allowed access to those systems, and how that access is utilized. Due to this, the industry has begun transitioning towards an identity-first architecture. Where protecting user credentials and analyzing user behaviors represent the new lines of defense.
Important takeaways for investors
* SaaS platforms are rapidly becoming prime targets for attackers.
* The identity layer represents the greatest weakness in modern systems.
* Data breaches are becoming more frequently driven by extortion schemes.
* Demand for cybersecurity products is expanding beyond infrastructure to include secure communications, identity protection and data sovereignty for both enterprises and governments alike.
The evolving threat landscape has driven companies like Sekur Private Data (OTCQB: SWISF | CSE: SKUR), which are now positioned as solutions for the identity-driven cyberattacks threatening businesses today. Sekur offers secure communication products (encrypted email, messaging and VPN services) hosted out of Switzerland using independent communications systems to limit the ability of third parties from accessing your communications and/or intercepting them. Unlike other communication platforms that operate through large cloud providers, Sekur utilizes the privacy and data protection laws and regulations of Switzerland to provide its users with a high level of control over their own communications environment; limiting the visibility into its operation by external entities.
Where Sekur Fits In
- Ticker: OTCQB: SWISF
- Model: Subscription-based secure communications (email, messaging, VPN)
- Positioning: Swiss-hosted infrastructure focused on privacy, data sovereignty, and metadata protection
The evolving threat landscape has driven companies like Sekur Private Data (OTCQB: SWISF | CSE: SKUR), which are now positioned as solutions for the identity-driven cyberattacks threatening businesses today. Sekur offers secure communication products (encrypted email, messaging and VPN services) hosted out of Switzerland using independent communications systems to limit the ability of third parties from accessing your communications and/or intercepting them. Unlike other communication platforms that operate through large cloud providers, Sekur utilizes the privacy and data protection laws and regulations of Switzerland to provide its users with a high level of control over their own communications environment; limiting the visibility into its operation by external entities.
There exists an enormous opportunity for Sekur. Today there are well over 3 billion users of global messaging applications and it is expected that enterprise cybersecurity spend will be greater than $400 Billion +. Therefore, an extremely small portion of these users migrating to use a premium secure communication application would create a substantial addressable market size. For example, a mere migration of 1% of global messaging application users towards a secure paid communication application represents a user base of 30+ million users.
The relevance of Sekur’s secure communication product is especially evident in light of attacks such as the alleged Udemy breach attack, where an attacker exploits identity, credentials and communication flow as opposed to directly breaching a system. The goal of Sekur’s product is to reduce the amount of information about you that is available to others and to allow you to have control over what information you share with others via its communication channel. Furthermore, by having less reliance on interconnected Software-as-a-Service (SaaS) ecosystems, Sekur seeks to protect against the type of vulnerability being targeted by most modern threat actors.
Bottom Line
The alleged Udemy breach is not merely another media story – it represents a larger shift in how attackers approach cyber threats. Rather than targeting hardware infrastructure, attackers are increasingly targeting the identity layer of systems. Groups such as Shiny Hunters are showing that the weakest link in modern systems is not the technology itself but rather the user access layer that governs it. As attacks grow in sophistication, scalability and stealthiness; demand for secure communication, identity protection and data sovereignty continues to rise across both enterprise and government sectors.
This is sponsored content. Investors should conduct their own due diligence and consult a qualified financial advisor before making any investment decisions.
Marc has been involved in the Stock Market Media Industry for the last +5 years. After obtaining a college degree in engineering in France, he moved to Canada, where he created Money,eh?, a personal finance website.
