ShinyHunters claims responsibility for Harvard and UPenn data breaches, publishes stolen alumni records

A well-known hacking group has claimed responsibility for data breaches at Harvard University and the University of Pennsylvania and has released what it says are large volumes of stolen alumni and donor data from both institutions.

On Wednesday, the cybercriminal group known as ShinyHunters published datasets it claims contain more than 1 million records from each university on its leak platform, which is used to pressure victims into paying ransoms. The group said the data was released after both universities declined to meet extortion demands.

The University of Pennsylvania, an Ivy League research university based in Philadelphia, disclosed in November that it had identified unauthorized access to a limited set of systems connected to development and alumni operations. During the incident, attackers sent emails to alumni from official university email accounts announcing the intrusion. The university attributed the breach to a social engineering attack, a technique that relies on deception to manipulate individuals into granting access or credentials.

At the time of the disclosure, the university did not specify the exact categories of data involved, stating only that systems related to alumni relations and fundraising had been accessed. The university’s breach notification webpage was later taken offline. Portions of the data circulating online have since been independently verified through confirmation with affected alumni and by matching certain records with publicly available information, including student identification numbers.

Harvard University, a private research university based in Cambridge, Massachusetts, confirmed later in November that its alumni systems had also been compromised. The university said the incident resulted from a voice phishing attack, in which attackers used phone calls to trick individuals into clicking malicious links or opening harmful attachments. Harvard stated that the exposed information included email addresses, phone numbers, home and business addresses, records of event attendance, donation details, and other biographical data connected to alumni engagement and fundraising activities.

The datasets published by ShinyHunters appear consistent with the types of information both universities acknowledged were accessed during the 2024 incidents.

During the University of Pennsylvania breach, the attackers sent messages to alumni that included politically charged language criticizing affirmative action policies and legacy admissions. Despite that messaging, ShinyHunters has not been known to operate with political motives, and the group has not provided an explanation for the inclusion of that language.

A spokesperson for the University of Pennsylvania said the institution is reviewing the data that has been posted and will notify affected individuals if required under applicable privacy laws. Harvard did not issue a public response following the release of the data.

ShinyHunters has been linked to multiple high-profile data breaches in recent years and is known for stealing large datasets and attempting to extort organizations by threatening public disclosure when ransom demands are refused.