Harvard and UPenn Data Breached in ShinyHunters Scandal

On February 4, 2026, the cyber extortion group ShinyHunters publicly took responsibility for the late 2025 data breaches impacting Harvard University and the University of Pennsylvania. They claimed to have compromised over 2 million records, subsequently publishing them on a dark web leak site.

According to threat intelligence firm Hudson Rock, the leaked data encompasses sensitive admissions and fundraising details, including a list of ‘top donors,’ alongside information about spouses, parents, and prospective students. Hudson Rock characterized this data as a “social graph,” providing insights into wealth hierarchies and personal networks.

Among the revelations was fundraising information listing Facebook co-founder Mark Zuckerberg as a donor contributing $604 million, accompanied by his home and private email addresses. Other notable contributors included former New York City Mayor Michael Bloomberg and Microsoft co-founder Steve Ballmer. Furthermore, the expert review described documents from a “Bill Gates Top Prospect Strategy Meeting” aiming to secure additional funding for university programs.

The leak also contained various legal agreements, including one from billionaire investor Bill Ackman, who committed $200,000 annually for 25 years to support Harvard’s economics department initiatives.

In response to inquiries about the security breach, Harvard University had not provided any immediate comment. The institution previously acknowledged a cybersecurity incident involving unauthorized access to alumni affairs systems in November 2025, reportedly tied to social engineering tactics. Similarly, the University of Pennsylvania confirmed that hackers had breached certain information systems focused on development and alumni activities.

Cybercriminal plots typically culminate in data leaks if the victim organization denies payment demands, leveraging such tactics as psychological pressure for future targets. ShinyHunters has also been implicated in a series of voice phishing (vishing) campaigns. Charles Carmakal, CTO of Google Cloud’s Mandiant unit, indicated that the group employs advanced phishing toolkits to deceive victims into surrendering credential information via fraudulent login portals masquerading as legitimate sites.

The threat actors appear to utilize a strategic playbook, systematically targeting multiple sectors, including education, healthcare, and energy. Investigations show ShinyHunters has been linked to around 150 domains connected to their ongoing vishing campaigns, raising substantial concerns about targeted organizations.

Experts emphasize a pressing need for enterprises to adopt robust cybersecurity practices, including phishing-resistant multi-factor authentication (MFA) and a “Zero Trust” architecture. Such measures are crucial given the incident’s implications for institutions that manage sensitive data in cloud-based environments, which may present a single point of failure.

As the threat landscape evolves, the need for organizations to remain vigilant against social engineering tactics becomes increasingly critical. Experts advise against engaging with extortion attempts, as this could invite further harassment and increase vulnerability to future attacks. Insights from the incident underscore the imperative for proactive security measures in today’s complex cyber environment.

Reported by Information Security Media Group’s David Perera in Northern Virginia.