A notorious cybercrime group has published what it claims are more than two million personal records stolen from Harvard University and the University of Pennsylvania (UPenn), escalating last year’s data breaches into a full-scale privacy crisis for both Ivy League institutions.
The group, known as ShinyHunters, uploaded the datasets to its leak platform this week after the universities allegedly declined to pay a ransom. Cybersecurity analysts say the move follows a familiar pattern of digital extortion — hackers steal sensitive data, demand payment, and release the information publicly when victims refuse to comply.
From Campus Breach to Public Leak
According to material reviewed by cybersecurity researchers, the leaked records appear to match the categories of information both universities acknowledged had been accessed during separate incidents in late 2025.
UPenn had earlier confirmed a breach affecting select systems linked to its development and alumni operations. At the time, attackers also sent mass emails to alumni using official university addresses, alerting recipients to the compromise. The university attributed the intrusion to social engineering — a tactic in which attackers impersonate trusted individuals to trick staff into granting access.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Claims Verified, Scope Comes Into Focus
In its initial disclosure, UPenn stopped short of detailing exactly what data was taken, stating only that systems tied to alumni and fundraising activities had been accessed. This week, however, ShinyHunters claimed responsibility for the attack and said it had obtained more than one million records from the university.
Tech investigators independently verified portions of the dataset by cross-checking information with alumni and public records, lending credibility to the hackers’ claims.
Harvard later confirmed a separate breach of its alumni systems, blaming the incident on a voice-phishing attack in which targets were manipulated over phone calls into opening malicious links or attachments. The university said the compromised data included email addresses, phone numbers, home and business addresses, event participation details, donation histories and other biographical information connected to alumni engagement and fundraising.
Extortion Tactics and a Familiar Playbook
Security experts say both attacks appear linked to a broader phishing campaign that targeted identity providers and single sign-on services, enabling criminals to move laterally across institutional networks once credentials were obtained.
In statements shared with media outlets, ShinyHunters said it published the data after both universities refused to negotiate. Such tactics are common among extortion-focused hacking groups, which increasingly rely on public leaks to pressure organisations into paying.
During the UPenn breach, attackers also circulated politically charged messages criticising affirmative action policies while notifying alumni of the hack. Analysts noted that ShinyHunters has no known ideological alignment and is primarily financially motivated, suggesting the language was likely used to provoke attention rather than signal genuine political intent.
Universities Assess Fallout as Risks Mount
A UPenn spokesperson said the university is now analysing the leaked material and will notify affected individuals in line with applicable privacy regulations. Harvard did not issue a fresh response following the public release of the data.
The incident underscores growing concerns around cybersecurity in higher education, where large alumni databases, donor records and legacy systems make universities attractive targets. Unlike corporate victims, academic institutions often hold decades of personal information spanning students, faculty and benefactors — a trove that can be monetised through fraud, identity theft and resale on underground markets.
Cybersecurity specialists warn that phishing remains the weakest link in institutional defence, despite increased awareness campaigns. Voice-based scams, in particular, are proving harder to detect, as attackers exploit trust and urgency in real-time conversations.
For affected alumni, the exposure raises risks ranging from targeted scams to long-term identity misuse. Experts recommend monitoring financial accounts, enabling multi-factor authentication and remaining cautious of unsolicited communications referencing university affiliations.
