Hackers Publish Personal Information Stolen During Harvard, UPenn Data Breaches

A well-known cybercrime group has claimed responsibility for last year’s data breaches at Harvard University and the University of Pennsylvania, and has now released the data it says it stole from both institutions.

On Wednesday, the hacking group ShinyHunters published, on its dedicated leak site, what it claims are more than 1 million records from each university, which it uses as part of its extortion campaigns.

In November, UPenn confirmed a data breach involving “a select group of information systems related to Penn’s development and alumni activities.” Around the same time, hackers sent emails to alums announcing the breach — messages that appeared to come from official university email addresses.

The university attributed the breach to social engineering, a tactic in which attackers impersonate trusted individuals to trick targets into revealing access or information they would not usually share. On its official breach disclosure page — which has since been taken offline — UPenn did not specify exactly which data was taken, stating only that attackers accessed systems related to development and alums engagement.

TechAmerica.ai verified portions of the leaked dataset by confirming details with alums and comparing them against public records, including student ID numbers.

Later in November, Harvard University also confirmed a breach affecting its alum systems, which it said was caused by a voice phishing (vishing) attack. In such attacks, hackers use phone calls to trick individuals into clicking malicious links or opening infected attachments.

Harvard said the stolen information included email addresses, phone numbers, home and business addresses, event attendance records, donation details, and other biographical data connected to alum engagement and fundraising activities.

The dataset released by ShinyHunters — which TechAmerica.ai reviewed — appears consistent with the types of information both universities acknowledged were compromised last year.

The hackers said they published the data after Harvard and UPenn refused to pay a ransom. Groups like ShinyHunters typically attempt to extort organisations by demanding payment in exchange for not releasing stolen data; if victims decline, the attackers often publish the information online.

During the UPenn breach, the hackers suggested political motivations, expressing opposition to affirmative action policies. “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits,” the hackers wrote in an email sent to alumni.

However, ShinyHunters is not known to operate with political motives. The group did not respond to questions about why that language was included in the message.

UPenn spokesperson Ron Ozio said that the university is “analyanalyzingdata and will notify any individuals if required by applicable privacy regulations.”

Harvard University did not respond to a request for comment.