A significant data breach has emerged, as a cybercrime organization known as ShinyHunters has claimed responsibility for leaking over two million personal records reportedly stolen from Harvard University and the University of Pennsylvania (UPenn). This incident marks an escalation of last year’s data breaches, creating a serious privacy crisis for both institutions.
The breach came to light when ShinyHunters uploaded the datasets to their leak platform, following the universities’ decision not to pay the ransom demanded by the attackers. Cybersecurity experts note that this tactic aligns with a familiar pattern of digital extortion, where sensitive data is taken, payment is requested, and the information is publicly released if the victims fail to comply.
From Campus Breach to Public Leak
As per findings reviewed by cybersecurity analysts, the leaked data corresponds with the types of information acknowledged by both universities as having been compromised during separate incidents in late 2025. UPenn had previously confirmed a breach affecting specific systems associated with its alumni and fundraising operations. At that time, attackers also disseminated mass email notifications to alumni using the university’s official addresses, alerting recipients to the breach. UPenn attributed the incident to social engineering, a method in which attackers impersonate trusted individuals to deceive staff into granting access.
Further insights into the breach reveal that ShinyHunters claims to have acquired more than one million records from UPenn alone. This assertion has been partially substantiated by tech investigators, who cross-verified portions of the dataset with existing alumni and public records, lending credibility to the hackers’ claims. Harvard University has since confirmed a separate intrusion into its alumni systems, which they attributed to a voice-phishing attack that tricked targets into engaging with malicious links or attachments. The range of compromised data included email addresses, phone numbers, and other personal information tied to alumni-related activities.
Extortion Tactics and a Familiar Playbook
Security professionals indicate that both attacks appear to be part of a broader phishing campaign targeting identity providers and single sign-on services. By obtaining credentials through these means, the attackers could navigate institutional networks laterally. In statements to various media outlets, ShinyHunters announced that they opted to disclose the data after the universities refused to engage in negotiations, a common strategy among extortion-oriented hacking groups that leverage public information leaks to exert pressure on organizations to pay up.
Universities Assess Fallout as Risks Mount
Cybersecurity experts continue to emphasize that phishing remains a critical vulnerability in institutional defenses. Voice-based scams are particularly challenging to detect, as attackers effectively exploit trust dynamics in real-time interactions. For those affected, the risks extend from targeted scams to the potential for long-term identity misuse. Affected individuals are advised to monitor their financial accounts, implement multi-factor authentication, and exercise caution with unsolicited communications related to their university affiliations.
