The ShinyHunters cybercriminal group has published stolen data from Harvard University and the University of Pennsylvania after both institutions refused to pay ransom demands. The breach, which occurred in late 2025 through social engineering attacks, exposed approximately 2 million records containing sensitive alumni, donor, and student information.
Incident overview
| Attribute | Details |
|---|
| Threat actor | ShinyHunters / Scattered LAPSUS$ Hunters |
| Victims | Harvard University, University of Pennsylvania |
| Data published | February 4, 2026 |
| Original breach | November 2025 |
| Harvard records | ~1.1 million (1.1GB compressed) |
| UPenn records | ~900,000 |
| Attack method | Voice phishing (vishing) with potential deepfake |
| Ransom paid | No (both institutions) |
Timeline
| Date | Event |
|---|
| November 2025 | Initial unauthorized access to Harvard AAD systems |
| November 2025 | Harvard acknowledges cybersecurity incident |
| Late 2025 | ShinyHunters contacts institutions with ransom demands |
| January 2026 | Both universities decline to pay |
| February 4, 2026 | ShinyHunters publishes stolen data |
| February 2026 | Class action lawsuit filed, later withdrawn |
Data exposed
Harvard University
| Data type | Risk level |
|---|
| Email addresses | High |
| Phone numbers | High |
| Home addresses | High |
| Business addresses | Medium |
| Event attendance records | Medium |
| Donation details | High |
| Biographical information | Medium |
Affected populations
| Group | Exposure |
|---|
| Alumni | Primary targets of AAD systems |
| Donors | Financial contribution history |
| Spouses/partners of alumni | Contact information |
| Parents of students | Biographical data |
| Current students | Limited records |
| Faculty and staff | Some records |
UPenn data
| Data type | Details |
|---|
| Total records | ~900,000 |
| Similar scope | Alumni affairs and development data |
| Overlap with Harvard | Same threat actor, same techniques |
Attack methodology
Social engineering chain
| Stage | Technique |
|---|
| 1 | Vishing campaign targeting administrative staff |
| 2 | Potential deepfake voice impersonation of IT support |
| 3 | Direction to typosquatted SSO portal |
| 4 | Man-in-the-Middle credential capture |
| 5 | MFA bypass via push notification approval |
| 6 | Lateral movement within AAD systems |
Why the attack succeeded
| Factor | Vulnerability |
|---|
| Cloud-based platforms | Centralized target for attackers |
| Bypassable MFA | Push notifications susceptible to social engineering |
| Wealth of data | Alumni systems contain high-value information |
| Single point of failure | Credential compromise grants broad access |
Institutional response
Harvard statement
Harvard acknowledged the breach and confirmed:
“The university experienced unauthorized access to alumni affairs systems through social engineering tactics.”
UPenn statement
The University of Pennsylvania issued similar acknowledgment:
“We are working with law enforcement and cybersecurity experts to investigate this incident and protect affected individuals.”
Why no ransom paid
| Rationale | Consideration |
|---|
| No guarantee of data deletion | Criminals may retain copies |
| Funding criminal enterprise | Encourages future attacks |
| Law enforcement guidance | FBI recommends against payment |
| Institutional policy | Many universities prohibit ransom payments |
Legal developments
Class action lawsuit
| Attribute | Status |
|---|
| Filed | February 2026 |
| Allegation | Failure to adequately secure alumni database |
| Status | Voluntarily withdrawn |
| Plaintiff claim | Inadequate security measures |
The lawsuit alleged Harvard failed to implement proper security controls despite holding sensitive personal and financial information on millions of individuals.
Security researcher analysis
Security researchers noted critical vulnerabilities in the institutions’ approach:
“By centralizing admissions statuses, wealth ratings and private family hierarchies into cloud-based platforms protected by bypassable MFA, institutions have created a single point of failure.”
Recommended mitigations
| Control | Purpose |
|---|
| FIDO2/hardware keys | Phishing-resistant MFA |
| Zero Trust architecture | Assume breach, verify continuously |
| Privileged access management | Limit administrative credentials |
| Security awareness training | Counter social engineering |
| Network segmentation | Limit lateral movement |
ShinyHunters profile
Group characteristics
| Attribute | Details |
|---|
| First observed | 2020 |
| Operating model | Data extortion |
| Tactics | Breach and leak if unpaid |
| Known victims | 70+ major organizations |
| Affiliation | Scattered LAPSUS$ Hunters collective |
Recent ShinyHunters activity
| Target | Sector |
|---|
| Match Group | Dating/Social |
| Allianz Life | Insurance |
| Crunchbase | Business data |
| Harvard/UPenn | Education |
The group has escalated activity against high-profile targets, focusing on organizations with valuable data and the financial means to pay ransoms.
Impact on affected individuals
Identity theft risks
| Risk | Mitigation |
|---|
| Phishing attacks | Verify all communications |
| Donation fraud | Contact university directly |
| Targeted scams | Wealth data enables customized approaches |
| Credential stuffing | Use unique passwords |
Recommendations for affected individuals
| Priority | Action |
|---|
| Immediate | Monitor credit reports |
| Immediate | Enable MFA on all accounts |
| High | Be alert to phishing targeting Harvard/UPenn affiliations |
| High | Verify any donation requests directly |
| Ongoing | Consider identity monitoring services |
Higher education sector implications
Systemic vulnerabilities
| Issue | Risk |
|---|
| Legacy systems | Often lack modern security controls |
| Decentralized IT | Inconsistent security policies |
| Vast data holdings | Decades of alumni records |
| Budget constraints | Security competes with academic priorities |
Sector-wide recommendations
| Priority | Action |
|---|
| Critical | Implement phishing-resistant MFA |
| Critical | Audit alumni/development system access |
| High | Segment sensitive databases |
| High | Train staff on vishing attacks |
| Medium | Implement data minimization |
| Ongoing | Regular security assessments |
Indicators of compromise
Social engineering indicators
| Indicator | Detection |
|---|
| IT support calls requesting credentials | Verify through official channels |
| Links to unfamiliar SSO portals | Check domain carefully |
| Urgency in requests | Classic social engineering |
| Requests to approve MFA prompts | Never approve unexpected prompts |
Network indicators
| Indicator | Action |
|---|
| Logins from unusual locations | Geographic anomaly detection |
| Bulk data access | DLP monitoring |
| Off-hours access to AAD systems | Time-based alerts |
| Access from unmanaged devices | MDM verification |
Context
The Harvard and UPenn breach illustrates the evolving sophistication of data extortion groups like ShinyHunters. By targeting alumni affairs systems—repositories of wealth indicators, contact information, and relationship data—attackers accessed information valuable for multiple types of fraud.
The use of vishing with potential deepfake technology represents an escalation in social engineering capabilities. Traditional security awareness training focused on email phishing may be insufficient as attackers exploit voice and video channels.
Higher education institutions face unique challenges: they hold vast amounts of historical data, often operate with decentralized IT governance, and face budget pressures that can deprioritize security investments. The Harvard/UPenn breach serves as a warning that prestigious institutions are high-value targets.
For individuals affected by this breach, the exposure of donation history and wealth indicators creates elevated risk for targeted scams. Attackers can craft highly personalized approaches using the leaked biographical data, making verification of all communications essential.
The broader message for organizations: phishing-resistant MFA is no longer optional. Push notifications and SMS codes can be socially engineered. Only hardware keys and FIDO2 authentication provide robust protection against the vishing attacks that enabled this breach.
