University of Pennsylvania Email System Breach and Data Leak
A hacker gained unauthorized access to the University of Pennsylvania's Salesforce Marketing Cloud mailing system, using it to send a mass email to approximately 700,000 recipients and mock the university's security and admissions practices. The attacker claimed to have exfiltrated sensitive data on 1.2 million donors, alumni, and students, including names, birthdates, addresses, contact information, estimated net worth, donation history, and demographic details such as religion, race, and sexual orientation. The university confirmed the breach originated from its connect.upenn.edu platform, which is hosted by Salesforce, and that the attacker was able to distribute the message widely before losing access on October 31.
Despite losing initial access, the attacker asserted continued control over the Salesforce Marketing Cloud system and subsequently published a 1.7-gigabyte archive allegedly containing the stolen data. The incident highlights significant risks associated with third-party cloud-based communication platforms and the potential for large-scale exposure of sensitive personal and financial information. The breach has raised concerns about the security of university systems and the protection of donor and student data, with the attacker openly ridiculing the institution's cybersecurity posture in the process.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Cyderes reveals Advanced Installer supply chain risk
Cyderes researchers identified a supply chain weakness involving the Advanced Installer tool that could let attackers distribute malware through legitimate software updates when digital signature enforcement is not used.
Proofpoint reports remote-access-tool intrusions tied to cargo theft
Proofpoint said threat actors were using remote access tools to infiltrate logistics platforms and facilitate theft of trucking cargo.
FortiGuard uncovers TruffleNet BEC scam abusing AWS infrastructure
FortiGuard researchers reported the 'TruffleNet' business email compromise scheme, which used Amazon AWS infrastructure to support phishing operations.
Microsoft identifies SesameOp backdoor using OpenAI Assistants API
Microsoft disclosed the 'SesameOp' backdoor, describing how it abused the OpenAI Assistants API for covert command-and-control activity.
University of Pennsylvania email breach exposes 1.2 million people
A major breach at the University of Pennsylvania exposed sensitive data belonging to about 1.2 million donors, alumni, and students. The attacker used the university's Salesforce Marketing Cloud environment to send mocking emails and later leaked internal documents.
Ukrainian national extradited to the US over Conti ransomware role
Irish authorities extradited Ukrainian national Oleksii Lytvynenko to the United States for his alleged role in Conti ransomware operations.
Operation Ironside leads to 55 arrests and $17 million in seizures
Australian police announced a new round of Operation Ironside actions, arresting 55 people and seizing about $17 million in assets after exploiting the compromised Anom messaging app to infiltrate organized crime networks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
University of Pennsylvania Graduate School of Education Email Compromise and Data Leak Threats
The University of Pennsylvania experienced a cybersecurity incident in which offensive emails were sent to thousands of students and alumni from addresses associated with the Graduate School of Education. The emails, distributed via the university's mailing list platform hosted on Salesforce Marketing Cloud, contained inflammatory language, criticized the university's security and admissions practices, and threatened to leak stolen data. University officials confirmed the emails were fraudulent and stated that their Office of Information Security and Incident Response team were actively investigating the breach. The emails referenced alleged violations of federal laws and Supreme Court rulings, echoing tactics seen in recent cyberattacks on other universities following the Supreme Court's decision on affirmative action. While the university has not confirmed whether any data was actually stolen, recipients were advised to disregard the messages and report any further suspicious communications. The incident highlights ongoing threats targeting higher education institutions, particularly those related to contentious policy issues and data security vulnerabilities.
Mar 21, 2026
ShinyHunters Leaks Donor and Alumni Data Stolen from Harvard and UPenn
**ShinyHunters** published datasets it claims were stolen during prior breaches at **Harvard University** and the **University of Pennsylvania (UPenn)**, posting what it says are **over one million records from each university** to its leak site used for extortion. Reporting indicates the exposed information relates to the schools’ development/alumni functions; TechCrunch said it verified portions of the data by corroborating details with alumni and public records (including matching against student ID numbers). Both universities attributed the intrusions to **social engineering** targeting staff supporting alumni and fundraising operations. UPenn previously confirmed unauthorized access to “a select group” of systems tied to development and alumni activities and said attackers also used official university email addresses to message alumni about the incident. Harvard reported its Alumni Affairs and Development environment was accessed following a **phone/voice-phishing** attack, and its incident FAQ described impacted data as including contact details (email, phone, home/business addresses), event attendance, donation details, and other biographical and fundraising-related information; public reporting noted uncertainty about whether affected individuals would receive individual notifications under applicable state requirements.
Mar 21, 2026
Princeton University Advancement Database Breach Exposes Donor and Alumni Information
Princeton University disclosed that its Advancement database, containing personal information of alumni, donors, some faculty, students, parents, and other community members, was compromised by unauthorized actors on November 10. The breach lasted less than 24 hours, and while the investigation is ongoing, the university stated that the database generally does not contain Social Security numbers, passwords, or financial data such as credit card or bank account numbers. The exposed data includes names, email addresses, phone numbers, and home and business addresses, as well as donation information. University officials have communicated with affected individuals, urging vigilance against potential phishing attempts and confirming that no other systems were accessed during the incident. The university is working with external experts and law enforcement to determine the full scope of the breach and its impact. Princeton emphasized that student records protected by federal privacy laws and most staff data were not included in the compromised database. This incident follows a series of recent data breaches at other Ivy League institutions, highlighting ongoing threats to higher education data security. The university has provided a dedicated FAQ and incident information page to keep the community informed as the investigation progresses.
Mar 21, 2026