The Udemy breach is a hiring story, not just a security one

Udemy is now part of the ShinyHunters dump pile. 1.4 million records published this week, names, employer information, instructor payment methods, the lot. Coverage so far is treating it as another supply-chain breach story.

It is. But it is also a useful prompt to talk about something the cyber security industry has been quietly avoiding for years: how we hire defenders in a world where the credentials people put on their CVs are mostly noise.

The short version

ShinyHunters has been quietly working through a list of Salesforce-linked targets for months. 400 of them by their own count. 42 published publicly so far. Udemy joined the pile this week alongside Zara and 7-Eleven, all extorted, none of them paying, all of them dumped.

The interesting question is not what ShinyHunters did. They have been doing the same thing for months and at this point the pattern is clear. The interesting question is whether the cyber security people inside an affected company could have caught it. And what the answer tells you about how this industry is currently hiring.

What ShinyHunters actually did

Pay or leak. Same playbook every time. The group exfiltrates a target’s data, threatens publication, sets a deadline. If negotiations fail or the target ignores them, the data goes up on a dark web leak site with the same dry message: “the company failed to reach an agreement, they don’t care.”

The current campaign focuses on Salesforce environments and the third-party tools that plug into them. The Zara dump points at Anodot, an analytics platform, as the entry point. 7-Eleven and Udemy show similar fingerprints: large volumes of Salesforce records, exfiltration of customer and corporate data, no direct compromise of the named victim’s own infrastructure required.

That third-party access pattern matters. It means the defenders looking for evidence of the breach inside the named company’s primary logs are not necessarily looking in the right place. The connection lives somewhere in the SaaS-to-SaaS stack, often via an OAuth token granted years ago to an integration nobody is paying attention to.

Public reporting on the specific attack vector is still developing. What is clear is that this is a supply-chain pattern at scale, and that whoever is sitting inside the security teams of those 400 named targets has been having a difficult month.

Why Udemy showing up here is the awkward bit

Udemy will be fine. Companies survive supply-chain breaches all the time. The brand takes a knock, customer trust dents for a quarter, the security team deploys some new monitoring, and the news cycle moves on.

The awkward bit is not Udemy’s reputation. It is the industry-wide conversation that Udemy ending up in the breach pile is going to surface, whether anyone wants to have it or not.

Because Udemy is where a lot of cyber career-changers go to train. Hours of “Cybersecurity Bootcamp.” Hours of “Linux for Ethical Hackers.” Hours of “Become a SOC Analyst in 30 Days.” Some of the content is genuinely useful. None of it is recognised in the cyber security industry as a formal credential.

That distinction matters more than it sounds.

The cyber learning hierarchy, honestly

Most cyber security hiring managers carry an internal hierarchy of how they read training and credentials on a CV, even if nobody writes it down. Roughly, in descending order of weight:

Vendor certifications. AWS, Microsoft, Cisco, Splunk, CrowdStrike. Real signal of skill inside a specific platform, vendor-recognised, often required for partner-status engagements. These count.

Industry certifications. OSCP, GIAC, GREM, CISSP, CISM, CRTP. The offensive-security and blue-team alphabet. Varying skill correlation. The hands-on tracks (OSCP, GIAC technical, CRTP) carry more weight than the multiple-choice ones, but all of them count.

Formal training providers. SANS, Offensive Security, ISC2, ISACA, CREST, the major national bodies. Recognised, expensive, takes weeks of full-time effort to complete, comes with credentials hiring managers know.

Hands-on practice platforms. Hack The Box, TryHackMe, similar. Good for keeping skills current, useful as portfolio evidence, not credentials. Their badges and ranks are signals to other practitioners, not to hiring managers reviewing 80 CVs in an afternoon.

Udemy, Coursera, casual MOOCs. Helpful for casual learning, exploration, hobbyist enthusiasm. Not formally recognised in the cyber security industry, not credentials, not part of the path to career progression.

That last category is not a dunk on Udemy or its instructors. The platform serves a genuine purpose for casual learners and people taking their first look at the field. The point is structural, not personal: nobody hiring a senior cyber security analyst, pentester, or incident responder is reading “completed 14 Udemy courses” on a CV and thinking “right, that is the credential we needed.” That is not how the industry works. The breach just made the conversation a touch louder.

The skills that would have caught a Salesforce supply-chain attack

A proper post-mortem on the ShinyHunters Salesforce campaign is going to take months. The vector specifics are still being unpicked, and I am not going to pretend to have inside knowledge of it. What I will say is that the broad pattern - third-party SaaS connector compromised, OAuth token abused, customer data exfiltrated - is one the industry has seen many times, and the skills required to catch it are well-documented.

They include:

• Reading cloud audit logs across SaaS platforms, not just one vendor’s UI
• Spotting anomalous OAuth token usage and grant changes
• Third-party app risk review, including stale tokens and orphaned grants
• Detecting unusual data export patterns from CRM and analytics environments
• Knowing the SaaS-to-SaaS connection map of the stack you are defending
• Understanding the difference between a legitimate ETL job and an exfiltration disguised as one

None of these are skills you can read off a CV. They are not skills that a 14-hour Udemy course teaches. They are not even skills that an OSCP necessarily teaches, since OSCP is offensively-shaped and supply-chain detection is a defensive problem. They are skills that come from doing the work, in a real environment, against real data, repeatedly, and ideally with someone senior in the room calling out where the gaps are.

So how should you hire for this?

If the credential layer of cyber hiring is increasingly noisy, the answer is not to invent a new credential to layer on top. The answer is to stop reading CVs as the primary signal and start putting candidates in front of the actual work.

It looks something like this. Give the candidate a real cloud audit log with an anomaly buried in it. Ten minutes. “Is anything off here?”

Give them a SaaS connection map with a stale OAuth token granted three years ago to a vendor that no longer exists. “What would you look at first?”

Give them a CRM data export pattern that does not quite fit the usual rhythm. “Is this normal?”

What you find very quickly is that the certified candidate who looks great on paper sometimes cannot do these things, and the career-changer who has been quietly working on real problems for two years sometimes can. That is the conversation worth having. Not which credentials look impressive on the page. Whether the candidate can do the actual job under the actual conditions of the actual role.

CyberHire was built for exactly this - calibrated, hands-on assessments that put candidates in real environments and let the work speak. We have written before about why putting the assessment first cuts six weeks of screening down to days, and about why training platforms and hiring platforms solve different problems.

The Udemy breach is a topical hook for that argument, not a new one. The argument has been there for years.

One honest sentence

A 14-hour Udemy course was never a hiring credential, and it never pretended to be. The breach just reminded the industry, briefly and uncomfortably, why we should care about the difference.