ShinyHunters Leaks Donor and Alumni Data Stolen from Harvard and UPenn
ShinyHunters published datasets it claims were stolen during prior breaches at Harvard University and the University of Pennsylvania (UPenn), posting what it says are over one million records from each university to its leak site used for extortion. Reporting indicates the exposed information relates to the schools’ development/alumni functions; TechCrunch said it verified portions of the data by corroborating details with alumni and public records (including matching against student ID numbers).
Both universities attributed the intrusions to social engineering targeting staff supporting alumni and fundraising operations. UPenn previously confirmed unauthorized access to “a select group” of systems tied to development and alumni activities and said attackers also used official university email addresses to message alumni about the incident. Harvard reported its Alumni Affairs and Development environment was accessed following a phone/voice-phishing attack, and its incident FAQ described impacted data as including contact details (email, phone, home/business addresses), event attendance, donation details, and other biographical and fundraising-related information; public reporting noted uncertainty about whether affected individuals would receive individual notifications under applicable state requirements.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
UPenn says it is analyzing leaked data for notification obligations
After the data was published, UPenn said it was reviewing the leaked information and would notify affected individuals if required by privacy regulations. Harvard did not comment on the new publication.
ShinyHunters publishes Harvard and UPenn datasets
On February 4, 2026, ShinyHunters published datasets it claimed were stolen from Harvard and UPenn, posting more than one million records from each university on its leak site. The group said it released the data after the universities refused to pay or negotiate.
Harvard discovers vishing attack on alumni systems
On November 18, 2025, Harvard discovered that its Alumni Affairs and Development systems had been compromised through a phone-based phishing, or vishing, attack. The stolen data included contact details, addresses, event attendance, donation details, and other biographical and fundraising engagement information.
UPenn publicly announces the breach
On November 11, 2025, UPenn publicly disclosed the incident. The university said the attack affected alumni and donor-related systems, while attackers allegedly exfiltrated about 1.2 million records including demographic data and estimated net worth.
UPenn confirms breach affecting alumni and development systems
At the end of October 2025, the University of Pennsylvania confirmed a breach involving systems tied to development and alumni activities. The intrusion was attributed to social engineering, and reporting linked the incident to ShinyHunters using a compromised PennKey SSO account to access internal platforms.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
ShinyHunters exposes Harvard, UPenn data | SC Media
scworld.com
Open sourceTwo Ivy League universities had donor information breaches. Will donors be notified? - DataBreaches.Net
databreaches.net
Open sourceHackers publish personal information stolen during Harvard, UPenn data breaches | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
University of Nottingham says student and alumni data was compromised
The University of Nottingham said a cyber incident exposed a significant amount of data belonging to current and former students, and warned that people connected to its campuses in Nottingham, Malaysia, and China may be affected. The university said it is still determining exactly what was accessed, but is treating **contact details, university-related information, financial data, and sensitive personal information** as potentially compromised while a third-party forensic investigation continues. It has notified affected students and alumni and published a notice confirming that student and alumni data had been compromised. The **ShinyHunters** cybercrime group claimed responsibility on its extortion site, alleging it stole more than **40GB** of material including credit card and payment details. Analysis of partially published data by **Have I Been Pwned** indicated the leak contains about **455,000 unique email addresses** along with extensive personal information, although the full scope remains unverified and ShinyHunters has previously been accused of exaggerating or misrepresenting stolen data in extortion campaigns.
Jun 12, 2026
Figure Data Breach Linked to Employee Social Engineering and ShinyHunters Leak
**Figure Technology Solutions**, a blockchain-based lending/fintech firm, confirmed a **data breach** after an employee was **socially engineered**, enabling attackers to access and exfiltrate a **limited number of files**. The company said it is communicating with partners and impacted individuals, has begun sending notifications, and is offering **free credit monitoring** to recipients of breach notices; it has not publicly disclosed the total number of affected individuals or when the incident was detected. The cybercrime group **ShinyHunters** claimed responsibility and alleged Figure refused to pay a ransom, publishing about **2.5GB** of purportedly stolen data on its leak site. Journalists who reviewed samples reported the exposed data included **names, home addresses, dates of birth, and phone numbers**, increasing risk of identity fraud and follow-on phishing. ShinyHunters also told reporters the intrusion was part of a broader campaign affecting organizations including **Harvard University** and **UPenn**, and referenced victims that rely on **Okta** for single sign-on.
Mar 21, 2026
University of Pennsylvania Email System Breach and Data Leak
A hacker gained unauthorized access to the University of Pennsylvania's Salesforce Marketing Cloud mailing system, using it to send a mass email to approximately 700,000 recipients and mock the university's security and admissions practices. The attacker claimed to have exfiltrated sensitive data on 1.2 million donors, alumni, and students, including names, birthdates, addresses, contact information, estimated net worth, donation history, and demographic details such as religion, race, and sexual orientation. The university confirmed the breach originated from its connect.upenn.edu platform, which is hosted by Salesforce, and that the attacker was able to distribute the message widely before losing access on October 31. Despite losing initial access, the attacker asserted continued control over the Salesforce Marketing Cloud system and subsequently published a 1.7-gigabyte archive allegedly containing the stolen data. The incident highlights significant risks associated with third-party cloud-based communication platforms and the potential for large-scale exposure of sensitive personal and financial information. The breach has raised concerns about the security of university systems and the protection of donor and student data, with the attacker openly ridiculing the institution's cybersecurity posture in the process.
Mar 21, 2026