University of Pennsylvania Graduate School of Education Email Compromise and Data Leak Threats
The University of Pennsylvania experienced a cybersecurity incident in which offensive emails were sent to thousands of students and alumni from addresses associated with the Graduate School of Education. The emails, distributed via the university's mailing list platform hosted on Salesforce Marketing Cloud, contained inflammatory language, criticized the university's security and admissions practices, and threatened to leak stolen data. University officials confirmed the emails were fraudulent and stated that their Office of Information Security and Incident Response team were actively investigating the breach.
The emails referenced alleged violations of federal laws and Supreme Court rulings, echoing tactics seen in recent cyberattacks on other universities following the Supreme Court's decision on affirmative action. While the university has not confirmed whether any data was actually stolen, recipients were advised to disregard the messages and report any further suspicious communications. The incident highlights ongoing threats targeting higher education institutions, particularly those related to contentious policy issues and data security vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Further reporting links attack messaging to anti-affirmative-action themes
Additional coverage highlighted that the attacker’s messaging echoed recent university-targeted incidents focused on affirmative action and alleged noncompliance with the Supreme Court’s 2023 admissions ruling.
University of Pennsylvania confirms data was stolen in cyberattack
Penn later confirmed that a cyberattack resulted in data theft, moving the incident from an unverified threatening email campaign to a confirmed breach affecting university data.
Reports emerge that nearly 1.2 million people may be affected
Subsequent reporting indicated the alleged breach may have impacted almost 1.2 million individuals, marking a significant escalation in the scope of the incident.
University of Pennsylvania opens security incident investigation
Penn said the message was fake and did not reflect the university or Penn GSE, and its Office of Information Security and Incident Response began actively handling the incident. The university advised recipients to delete the email and report related suspicious messages.
Offensive mass email sent through Penn GSE system
Thousands of current and former University of Pennsylvania Graduate School of Education students received a fraudulent email sent through the school system containing offensive language and threats to leak allegedly stolen university data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Musk and Trump both went to Penn—now hacked by someone sympathetic to their cause
arstechnica.com
Open sourceUniversity of Pennsylvania confirms data stolen in cyberattack
bleepingcomputer.com
Open sourceAlmost 1.2M allegedly impacted by University of Pennsylvania breach
scworld.com
Open source‘We got hacked’ emails threaten to leak University of Pennsylvania data
bleepingcomputer.com
Open sourceUniversity of Pennsylvania investigating offensive email sent through graduate school system
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
University of Pennsylvania Email System Breach and Data Leak
A hacker gained unauthorized access to the University of Pennsylvania's Salesforce Marketing Cloud mailing system, using it to send a mass email to approximately 700,000 recipients and mock the university's security and admissions practices. The attacker claimed to have exfiltrated sensitive data on 1.2 million donors, alumni, and students, including names, birthdates, addresses, contact information, estimated net worth, donation history, and demographic details such as religion, race, and sexual orientation. The university confirmed the breach originated from its connect.upenn.edu platform, which is hosted by Salesforce, and that the attacker was able to distribute the message widely before losing access on October 31. Despite losing initial access, the attacker asserted continued control over the Salesforce Marketing Cloud system and subsequently published a 1.7-gigabyte archive allegedly containing the stolen data. The incident highlights significant risks associated with third-party cloud-based communication platforms and the potential for large-scale exposure of sensitive personal and financial information. The breach has raised concerns about the security of university systems and the protection of donor and student data, with the attacker openly ridiculing the institution's cybersecurity posture in the process.
Mar 21, 2026
ShinyHunters Leaks Donor and Alumni Data Stolen from Harvard and UPenn
**ShinyHunters** published datasets it claims were stolen during prior breaches at **Harvard University** and the **University of Pennsylvania (UPenn)**, posting what it says are **over one million records from each university** to its leak site used for extortion. Reporting indicates the exposed information relates to the schools’ development/alumni functions; TechCrunch said it verified portions of the data by corroborating details with alumni and public records (including matching against student ID numbers). Both universities attributed the intrusions to **social engineering** targeting staff supporting alumni and fundraising operations. UPenn previously confirmed unauthorized access to “a select group” of systems tied to development and alumni activities and said attackers also used official university email addresses to message alumni about the incident. Harvard reported its Alumni Affairs and Development environment was accessed following a **phone/voice-phishing** attack, and its incident FAQ described impacted data as including contact details (email, phone, home/business addresses), event attendance, donation details, and other biographical and fundraising-related information; public reporting noted uncertainty about whether affected individuals would receive individual notifications under applicable state requirements.
Mar 21, 2026
University of Pennsylvania Data Breach via Clop Exploitation of Oracle E-Business Suite
The University of Pennsylvania suffered a data breach after attackers exploited a zero-day vulnerability in Oracle's E-Business Suite (EBS), resulting in the theft of personal information from its systems. The Clop ransomware group is believed to be behind this attack, which targeted numerous Oracle EBS customers worldwide, including other Ivy League institutions such as Dartmouth College and Harvard University. The breach notification filed with Maine's Attorney General confirmed that at least 1,488 individuals were affected, though the total number of victims is likely higher. The university responded by patching its systems after Oracle released fixes and notified federal law enforcement. The attack was part of a broader campaign in which Clop exploited multiple vulnerabilities in Oracle EBS to steal large amounts of data from various organizations. The University of Pennsylvania only became aware of the breach after Oracle acknowledged the vulnerability and Clop began sending extortion emails to victim organizations. While the university has not disclosed the specific types of data stolen, it has stated that there is no evidence the information has been publicly disclosed or misused. The incident highlights the risks associated with unpatched enterprise software and the growing trend of ransomware groups exploiting zero-day vulnerabilities for data theft and extortion.
Mar 21, 2026