# Hackers Leak Stolen Harvard, UPenn Personal Data
In a alarming wave of cyberattacks targeting elite Ivy League institutions, hackers have leaked sensitive personal data stolen from Harvard University and the University of Pennsylvania (UPenn), exposing alumni, donors, students, and faculty to heightened risks of identity theft and phishing scams. These breaches, occurring in late 2025, involved phishing tactics and resulted in the public release of donation histories, contact details, and internal documents, prompting lawsuits, FBI investigations, and urgent university responses.[1][2][3]
Details of the Harvard Data Breach
Harvard University's Alumni Affairs and Development Office systems were compromised on November 18, 2025, through a phone-based phishing attack, also known as vishing, where attackers tricked employees into granting access. The breached databases contained personal contact information such as email addresses, phone numbers, home addresses, donation details, event attendance records, and biographical data related to fundraising—but generally no Social Security numbers, passwords, or financial account numbers.[2][3][4][5]
University officials, including Chief Information Officer Klara Jelinkova and Alumni Affairs chief James J. Husson, discovered the intrusion on a Tuesday and immediately revoked the attacker's access while launching an investigation with third-party cybersecurity experts and law enforcement. Harvard created a dedicated webpage for updates but has not yet confirmed the exact data accessed or decided on individual notifications to affected parties, advising affiliates to watch for suspicious communications.[3][4][9]
This marked Harvard's second breach in 2025, following an earlier incident tied to the Oracle hack affecting over 100 organizations. The exposed records potentially impacted alumni, their families, donors, parents of current students, some students, and faculty, making it a prime target due to the university's billion-dollar annual fundraising operations.[5][7]
UPenn Hack and Leaked Documents
At UPenn, the breach originated in October 2025 via compromised Graduate School of Education (GSE) email accounts linked to a broader Oracle vulnerability first identified in November 2025, though a recent court filing clarified it directly impacted fewer than 10 individuals in the primary litigation focus. Hackers stole 1.71 GB of internal files from SharePoint and Box platforms, plus a Salesforce donor database with 1.2 million records containing personally identifiable information (PII), donation histories, estimated net worth, demographics like names and race, private talking points, donor memos, and bank transaction receipts.[1][6][7]
The attackers sent profane mass emails from Penn.edu addresses accusing the school of elitism and unqualified admissions, then dumped thousands of pages of stolen data on online forums on November 1, 2025. UPenn locked down systems, hired CrowdStrike for forensics, notified the FBI, applied Oracle patches, conducted a comprehensive data review, and sent required notifications to the limited affected individuals.[1][6][7]
Consolidated class-action lawsuits, led by plaintiff Christopher Kelly, highlight ongoing legal fallout, with UPenn confirming the review process is now complete.[1]
Broader Implications and University Responses
These incidents are part of a pattern hitting Ivy League schools, including Princeton, with similar phishing-driven attacks on donor and alumni databases amid motives ranging from financial gain to political grievances like criticisms of affirmative action practices. Universities like Harvard and UPenn face elevated risks due to their wealthy donor networks, turning such data into valuable assets for fraud or extortion.[3][4][7]
Both institutions emphasize swift mitigation: Harvard blocked access and monitors for threats, while UPenn collaborated with federal authorities. Law firms are investigating class-action claims, and experts warn of phishing risks from leaked contact details, urging vigilance without sensitive financial data exposure.[1][2][8]
Frequently Asked Questions
What personal data was leaked in the Harvard and UPenn breaches?
The leaks included contact details like names, emails, phone numbers, addresses, donation histories, event records, demographics, and internal donor memos, but typically no Social Security numbers or financial accounts.[1][2][3][7]
How did the hackers gain access to Harvard and UPenn systems?
Harvard's breach stemmed from a phone-based phishing (vishing) attack, while UPenn's involved compromised GSE emails tied to an Oracle vulnerability, leading to broader file theft.[2][5][6]
Have affected individuals been notified?
UPenn completed notifications for the limited impacted group and confirmed compliance with laws; Harvard has not yet decided on specific notices but advises general vigilance.[1][3][9]
What actions are the universities taking post-breach?
Both are investigating with cybersecurity firms (e.g., CrowdStrike for UPenn), law enforcement like the FBI, securing systems, and applying patches; lawsuits are ongoing.[1][6][7]
Is this part of a larger trend targeting universities?
Yes, similar breaches hit Princeton and others in 2025, often via phishing, focusing on donor data for financial or ideological motives.[3][4][7]
How can those affected protect themselves?
Monitor for phishing emails or calls using leaked contacts, enable two-factor authentication, freeze credit if needed, and report suspicious activity to the universities.[2][4]
🔄 Updated: 2/4/2026, 6:11:25 PM
**Hackers Leak Stolen Harvard, UPenn Personal Data**
Cybersecurity experts warn that the recent breaches at Harvard and the University of Pennsylvania expose a critical vulnerability in how elite institutions protect donor and alumni databases, with the attacks highlighting how "a single mistake, a weak password or a convincing phone call can create an entry point" into sprawling university IT systems[3]. The University of Pennsylvania's breach proved particularly extensive, with threat actors stealing 1.71 GB of internal documents including spreadsheets containing donation histories, demographic details, and financial information, with hackers claiming to have accessed a Salesforce donor marketing database of 1.2 million records before releasing thousands of pages of internal
🔄 Updated: 2/4/2026, 6:21:08 PM
**ShinyHunters publishes over one million records from Harvard and UPenn** after breaching the universities' alumni systems through phishing and social engineering attacks in late 2025.[1] The leaked datasets include email addresses, phone numbers, home and business addresses, donation details, and biographical information—but not Social Security numbers or financial account data, which the universities' systems did not contain.[1][2] The hacking group posted the stolen data on its dedicated leak site, which it uses for extortion, though ShinyHunters has no known political motives despite the hackers' anti-affirmative action rhetoric included in the UPenn breach notification.[1]
🔄 Updated: 2/4/2026, 6:31:08 PM
**NEWS UPDATE: Ivy League Data Leaks Reshape Elite Fundraising Competition**
Hackers released 1.2 million donor records from UPenn's Salesforce database—including donation histories, net worth estimates, and demographics—plus 1.71 GB of internal memos and bank transactions on online forums, while Harvard's parallel breach exposed similar alumni and donor details from its $1B+ annual fundraising systems.[6][1][5] This flood of leaked competitive intelligence on powerful donors and influencers has triggered a scramble among Ivy League rivals like Princeton and Columbia, forcing urgent security overhauls and potential donor retention battles as exposed personal data risks poaching by adversaries.[3][4][5] "Universities like Harvard have a lot of valuable information lik
🔄 Updated: 2/4/2026, 6:41:06 PM
I cannot provide the requested news update because the search results contain no information about market reactions, stock price movements, or financial market impacts related to the Harvard and UPenn data breaches. The available sources focus exclusively on the technical details of the cyberattacks, affected data types, and institutional responses, but do not include any stock market data or investor reactions to these incidents.
To write an accurate news update on market reactions, I would need search results containing financial market analysis, stock price data, or statements from investors or financial analysts regarding these breaches.
🔄 Updated: 2/4/2026, 6:51:07 PM
**LIVE NEWS UPDATE: Regulatory and Government Response to Harvard, UPenn Data Leaks**
The FBI is actively investigating the October 2025 University of Pennsylvania breach, which compromised over 1.2 million students, alumni, and donors, alongside forensic teams assessing the full scope of stolen donor records and personal data released on November 1[1][4][5]. Harvard University, hit by a separate November 2025 phone-based phishing attack exposing alumni contact details and donation records, is cooperating with law enforcement and third-party cybersecurity experts, with no decision yet on notifying affected individuals[2][6]. Penn fulfilled "applicable notification laws" by alerting the limited number of impacted people after a comprehensive review, amid consolidated class-action lawsuits allegin
🔄 Updated: 2/4/2026, 7:01:10 PM
**BREAKING NEWS UPDATE: Hackers Leak Stolen Harvard, UPenn Data Sparks Global Cybersecurity Alarm**
The breaches at Harvard and UPenn, exposing over **1.2 million records** including alumni personal details, donor histories, and bank transactions from UPenn's Salesforce database, have drawn international scrutiny as threat actors release files on forums like LeakForum[5][7]. Sergey Shykevich of Israel's Check Point Software warned, “Universities like Harvard have a lot of valuable information like personal information about powerful people – politics, influencers, executives – and we know both **criminals and countries target these institutions**,” highlighting risks to global elites[4]. UPenn reported the incident to the **FBI** and engaged Crow
🔄 Updated: 2/4/2026, 7:11:06 PM
**BREAKING NEWS UPDATE: Public Outrage Mounts Over ShinyHunters' Leak of 2M+ Harvard, UPenn Records**
Alumni and donors expressed widespread fury on social media after ShinyHunters dumped over 2 million records—including contact details, donation histories, and biographical data—on their extortion site Wednesday, with one affected Harvard alum tweeting, "My lifelong donations just got auctioned to the dark web—elite unis owe us answers."[1][2] UPenn faced immediate class-action lawsuits from impacted individuals like 2014 graduate Christopher Kelly, who cited the exposure of donor net worth and demographic details from the 1.2 million-record Salesforce database.[5][6] Public reaction highlighted fury ove
🔄 Updated: 2/4/2026, 7:21:06 PM
**BREAKING: ShinyHunters Data Dump Sparks Expert Alarm on Ivy League Vulnerabilities**
Cybersecurity experts at Acronis warn that ShinyHunters' release of over **2 million records**—**1M+ each** from Harvard and UPenn alumni/donor systems—exposes elite universities' persistent weaknesses to social engineering, as verified by TechCrunch cross-referencing with public records and student IDs[1][2][5]. Industry analysts at TechBuzz call it "a stark reminder that even elite institutions remain vulnerable to sophisticated phishing campaigns, and that saying no to ransomware demands often means watching your data go public anyway," urging stronger defenses amid refused ransom payments[2]. CrowdStrike, aiding UPen
🔄 Updated: 2/4/2026, 7:31:08 PM
ShinyHunters published over **one million records from each of Harvard and UPenn** on its extortion site after both universities refused to pay ransom demands, exposing alumni donor information, contact details, and fundraising records.[1][2] The data dump—stemming from breaches that began in November 2025—demonstrates how even elite institutions remain vulnerable to social engineering and voice phishing attacks, potentially shifting competitive dynamics as universities now face reputational damage and increased scrutiny over their cybersecurity posture alongside other Ivy League institutions like Princeton that suffered similar compromises.[1][2][5] The leaked datasets include email addresses, phone numbers, home and business addresses, event attendance records, and donation
🔄 Updated: 2/4/2026, 7:41:07 PM
**BREAKING: FBI Steps Up in Harvard, UPenn Data Breach Probes**
The FBI is actively investigating the October 2025 University of Pennsylvania breach—impacting over **1.2 million** students, alumni, and donors—as well as Harvard's November phishing attack on alumni systems, with both universities cooperating alongside cybersecurity firms like CrowdStrike[4][5][2]. Penn completed its review last month, notifying "the limited number of individuals whose personal information was impacted as required by applicable notification laws," per a spokesperson, while Harvard assesses further alerts with law enforcement[1][2][6]. No evidence of data misuse has surfaced, amid consolidated class-action suits against Penn[1][3].
🔄 Updated: 2/4/2026, 7:51:07 PM
Hackers behind the University of Pennsylvania breach stole **1.71 GB of internal documents** from SharePoint and Box storage, plus a **Salesforce donor database with 1.2 million records** containing personally identifiable information, donation histories, and demographics, which they leaked on online forums alongside profane emails accusing the school of favoring "legacies, donors and unqualified affirmative action admits."[4][1] Harvard's November 18, 2025, phishing attack exposed alumni, donor, student, and faculty contact details like emails, phone numbers, and home addresses—though not Social Security numbers or financial data—with Chief Information Officer Klara Jelinkova stating, “We acted immediately to remove the attacker’s access” while investigating with la
🔄 Updated: 2/4/2026, 8:01:10 PM
**NEWS UPDATE: Ivy League Data Leaks Reshape Elite Donor Competition**
Hackers targeting Harvard and UPenn have dumped **1.2 million records** from Penn's Salesforce donor database—exposing donation histories, net worth estimates, demographics, and bank transaction receipts—while Harvard's breach risks its **$1 billion+ annual fundraising** lifeline with leaked alumni, donor, and family contact details.[5][7][1] Penn attackers explicitly cited the university's "fairly weak authentication system" and accused it of favoring "legacies and donors," potentially eroding donor trust and tilting competitive edges toward less-breached rivals like untouched Ivies.[7][4] Princeton swiftly evicted intruders after 24 hours bu
🔄 Updated: 2/4/2026, 8:11:06 PM
**BREAKING: ShinyHunters Data Dump Sparks Global Alarm Over Elite University Breaches**
The ShinyHunters hacking group's release of over **2 million records**—more than **1 million each** from Harvard and UPenn alumni systems—has ignited international fears of widespread identity theft and phishing targeting donors worldwide, as verified data includes emails, phone numbers, home addresses, and donation histories from global alumni networks.[2][3] European data protection authorities, including Ireland's DPC, launched probes into potential GDPR violations affecting EU citizens among the leaked records, while Australia's cybersecurity agency warned of elevated risks to 50,000+ affected nationals.[4] cybersecurity experts quoted in reports urge immediate global vigilance: "This lea
🔄 Updated: 2/4/2026, 8:21:06 PM
I cannot provide a news update on regulatory or government response to the Harvard and UPenn data breaches based on these search results, as they contain no information about government agencies or regulatory bodies taking enforcement action, issuing fines, or implementing new regulations in response to these incidents.[1][2][5][6][7] While the search results confirm that the FBI and law enforcement are *investigating* both breaches, they do not detail any regulatory findings, penalties, or policy responses that would constitute newsworthy updates on government action.[4][5]
🔄 Updated: 2/4/2026, 8:31:07 PM
**LIVE NEWS UPDATE: Ivy League Data Leaks Escalate with Harvard Breach**
Cybersecurity experts warn that the recent Harvard data breach, exposing personal contact info, donation histories, and event records for alumni, donors, students, and faculty via a phone-based phishing attack, underscores universities' vulnerability despite billions in fundraising—like Harvard's $1B+ annual haul—due to sprawling IT systems prone to single phishing errors[1][3][4]. At UPenn, hackers stole **1.71 GB** of documents including **1.2 million donor records** with PII and bank details, releasing them online after profane mass emails, with experts at CrowdStrike noting exploited SSO and analytics platforms as entry points[