Harvard & UPenn Data Breach: Hackers Leak Over 1 Million Alumni Records

A notorious cybercrime group has escalated last year’s university data breaches into a full-blown privacy crisis, claiming to have published more than one million records each from Harvard University and the University of Pennsylvania (UPenn). The hackers, known as ShinyHunters, released the data on their leak site a platform commonly used to pressure victims into paying ransom demands.

The move transforms what were previously contained institutional breaches into a broader public data exposure event, raising concerns for alumni, donors, and affiliated professionals worldwide.

What Happened?

Both universities disclosed security incidents in late 2025 involving systems tied to alumni and fundraising operations, not academic records.

UPenn Breach

UPenn previously confirmed that attackers gained access to systems linked to development and alumni engagement. The intrusion was attributed to social engineering, a tactic where cybercriminals manipulate individuals into granting access or revealing credentials.

At the time, the attackers even sent emails from official university accounts to alumni, amplifying the credibility of the breach.

Harvard Breach

Harvard reported a similar attack, attributing the compromise to voice phishing (vishing) where victims are tricked during phone calls into clicking malicious links or opening infected files.

Harvard acknowledged that exposed data included:

• Email addresses
• Phone numbers
• Home and business addresses
• Event participation history
• Donation records
• Biographical alumni details

The data primarily relates to fundraising and alumni networks, not classroom or research systems.

Who Are ShinyHunters?

ShinyHunters is a well-known hacking collective tied to multiple global data breaches over the years. The group typically:

• Steals large datasets
• Publishes samples publicly
• Uses leak sites for extortion pressure

By releasing the university data publicly, the attackers signal that negotiations may have failed or that they aim to maximize pressure through reputational damage.

Why This Matters

This breach highlights a growing trend: cybercriminals targeting universities’ non-academic systems, which often contain rich personal and financial data but may not have the same security controls as research or core IT networks.

Risks for affected individuals include:

• Phishing and scam campaigns
• Identity theft attempts
• Donation fraud schemes
• Long-term social engineering risks

Because alumni databases often include high-net-worth individuals, they are increasingly attractive targets.

The Bigger Cybersecurity Pattern

Universities globally are under mounting cyber pressure because they:

• Manage vast legacy IT systems
• Store decades of personal data
• Operate complex third-party integrations
• Maintain large alumni fundraising databases

Attackers increasingly use human-focused attack methods like phishing and vishing rather than direct system hacking.

What Affected Individuals Should Do

Cybersecurity experts typically advise:

• Monitor financial and donation accounts
• Be cautious of emails referencing alumni activities
• Enable multi-factor authentication
• Watch for targeted phishing calls or texts

The Bottom Line

The publication of Harvard and UPenn alumni data marks a shift from institutional breach to public data leak, magnifying the potential long-term impact. As universities expand digital fundraising and global alumni engagement, they are becoming high-value targets in the evolving cybercrime landscape.