The notorious cybercrime group ShinyHunters just made good on its threat, dumping over two million records from Harvard University and the University of Pennsylvania after both schools refused to pay up. The data breach, which started with social engineering attacks last November, exposed alumni donor information, contact details, and fundraising records - now available on the group's public extortion site. It's a stark reminder that even elite institutions remain vulnerable to sophisticated phishing campaigns, and that saying no to ransomware demands often means watching your data go public anyway.
A notorious hacking collective just turned up the heat on two of America's most prestigious universities. ShinyHunters, the cybercrime group behind a string of high-profile data thefts, published what it claims are more than one million records from both Harvard University and the University of Pennsylvania on Wednesday, following through on extortion threats after both schools refused to pay ransoms.
The data dump represents the culmination of breach campaigns that began last November, when the hackers first infiltrated alumni and development systems at both institutions. TechCrunch verified portions of the leaked datasets by cross-referencing alumni information with public records and student ID numbers - confirming the data's authenticity and raising serious questions about the security posture of even elite educational institutions.
The UPenn breach came to light in November when the university confirmed hackers had accessed "a select group of information systems related to Penn's development and alumni activities." But the intrusion became impossible to ignore when the attackers sent mass emails to alumni directly from official university addresses, announcing their successful hack. That brazen move demonstrated not just access to data, but active control over university communication systems.
UPenn blamed the breach on social engineering - the art of manipulating people into breaking normal security procedures. The university's official breach disclosure page, which has since been taken offline, offered few specifics about what exactly was stolen, stating only that cybercriminals accessed "systems related to Penn's development and alumni activities." That vagueness is now moot, as the published data reveals the scope: contact information, donation histories, and biographical details tied to fundraising operations.
