Vishing Attack Leads to Harvard University Data Breach
Harvard University confirmed a significant data breach after threat actors used a voice phishing (vishing) attack to compromise its Alumni Affairs and Development systems. The attackers gained access to a wide range of personal information, including phone numbers, email addresses, home and business addresses, event attendance records, donation details, and other biographical data related to alumni, donors, parents, some current students, faculty, and staff. University officials emphasized that no Social Security numbers, passwords, payment card information, or financial data were stored in the affected systems. Immediate steps were taken to expel the attackers and secure the compromised systems.
The university is collaborating with law enforcement and third-party cybersecurity experts to investigate the incident and has notified affected individuals. Harvard urged those impacted to be vigilant for suspicious communications, as the exposed data could be used in further social engineering attacks. This breach follows similar incidents at other Ivy League institutions, highlighting the ongoing threat of vishing and targeted phishing campaigns against higher education organizations.
Related Entities
Threat Actors
Sources
Related Stories
Princeton University Advancement Database Breach Exposes Donor and Alumni Information
Princeton University disclosed that its Advancement database, containing personal information of alumni, donors, some faculty, students, parents, and other community members, was compromised by unauthorized actors on November 10. The breach lasted less than 24 hours, and while the investigation is ongoing, the university stated that the database generally does not contain Social Security numbers, passwords, or financial data such as credit card or bank account numbers. The exposed data includes names, email addresses, phone numbers, and home and business addresses, as well as donation information. University officials have communicated with affected individuals, urging vigilance against potential phishing attempts and confirming that no other systems were accessed during the incident. The university is working with external experts and law enforcement to determine the full scope of the breach and its impact. Princeton emphasized that student records protected by federal privacy laws and most staff data were not included in the compromised database. This incident follows a series of recent data breaches at other Ivy League institutions, highlighting ongoing threats to higher education data security. The university has provided a dedicated FAQ and incident information page to keep the community informed as the investigation progresses.
3 months ago
ShinyHunters Leaks Donor and Alumni Data Stolen from Harvard and UPenn
**ShinyHunters** published datasets it claims were stolen during prior breaches at **Harvard University** and the **University of Pennsylvania (UPenn)**, posting what it says are **over one million records from each university** to its leak site used for extortion. Reporting indicates the exposed information relates to the schools’ development/alumni functions; TechCrunch said it verified portions of the data by corroborating details with alumni and public records (including matching against student ID numbers). Both universities attributed the intrusions to **social engineering** targeting staff supporting alumni and fundraising operations. UPenn previously confirmed unauthorized access to “a select group” of systems tied to development and alumni activities and said attackers also used official university email addresses to message alumni about the incident. Harvard reported its Alumni Affairs and Development environment was accessed following a **phone/voice-phishing** attack, and its incident FAQ described impacted data as including contact details (email, phone, home/business addresses), event attendance, donation details, and other biographical and fundraising-related information; public reporting noted uncertainty about whether affected individuals would receive individual notifications under applicable state requirements.
1 months agoPhishing Campaigns Targeting US Universities and Higher Education
A coordinated phishing campaign targeted at least 18 American universities over several months used the open-source Evilginx phishing kit to bypass multi-factor authentication (MFA) and compromise student and staff accounts. Attackers employed adversary-in-the-middle (AiTM) tactics, leveraging personalized emails with short-lived TinyURLs that mimicked university single sign-on (SSO) portals. By capturing both credentials and session cookies, the attackers were able to fully take over accounts, despite MFA protections. The campaign demonstrated advanced operational security, including frequent changes to attack links and the use of services like Cloudflare to obscure infrastructure, as detailed in Infoblox's investigation. Separately, Harvard University experienced a breach of its Alumni Affairs and Development office systems, attributed to a successful mobile phishing ("mishing") attack. The attacker gained access to internal systems, which the university subsequently secured. This incident highlights the growing trend of mobile-first phishing strategies that bypass traditional desktop and network defenses, posing significant risks to organizations with distributed workforces and sensitive data. The breach underscores the need for dedicated mobile threat defense solutions, as standard MDM and UEM tools are insufficient against sophisticated mobile phishing attacks.
3 months ago