TL;DR: On February 4, 2026, ShinyHunters published 2.2 million stolen records from Harvard University and the University of Pennsylvania. The data dump includes email addresses, phone numbers, home addresses, donation histories, event attendance records, and "top donor" lists. Both universities refused to pay ransom. The attackers got in through vishing: phone calls that tricked staff into approving fake logins. If you're a Harvard or UPenn alum, donor, or family member of a student, your data is now public.

What Got Stolen

ShinyHunters dropped two data dumps on their extortion site:

Harvard University

1.1GB compressed. Over 1 million records from Alumni Affairs and Development (AAD).

University of Pennsylvania

483MB compressed. Approximately 1.2 million records from development and alumni systems.

Harvard confirmed the stolen data includes:

  • Email addresses
  • Phone numbers
  • Home and business addresses
  • Event attendance records
  • Donation histories and amounts
  • "Top donor" lists
  • Biographical information

The leaked data also contains information about spouses, widows, parents, current students, and family members flagged as prospective students. According to InfoStealers, the Harvard dump includes wealth band classifications, lifetime donation amounts, internal fundraising strategies, and even legal agreements with payment schedules.

This isn't just alumni data. It's a targeting database for anyone who wants to scam wealthy donors.

How They Got In: Voice Phishing

Harvard blamed the breach on a "voice phishing attack." UPenn called it "social engineering." Same thing, different PR language.

Here's how vishing works:

  1. Attackers call university staff pretending to be IT support or an identity vendor
  2. They create urgency: "Your account has been compromised" or "We need to verify your credentials"
  3. Victims get directed to fake login pages that look exactly like the real SSO portals
  4. When staff enter credentials, attackers capture them in real-time using man-in-the-middle architecture
  5. Attackers then prompt victims to approve MFA push notifications ("just verify this is you")
  6. Once inside, they pivot across cloud platforms: Microsoft 365, SharePoint, Salesforce

ShinyHunters targeted administrative staff in alumni and development offices. These departments hold the richest personal data: donation records, wealth assessments, contact info for the university's most connected people.

The attackers searched for terms like "confidential" and "stewardship" to find high-value files. They knew exactly what they were looking for.

Timeline

  • November 2025: Harvard acknowledges a "cybersecurity incident" affecting alumni affairs systems
  • Fall 2025: UPenn discloses hackers compromised "a select group of information systems related to Penn's development and alumni activities"
  • December 2025: Both universities confirm breaches but don't disclose ransom demands
  • February 4, 2026: ShinyHunters publishes all stolen data after both schools refuse to pay

The universities sat on this for months. Victims are only now finding out their data has been public for three months.

Who Are ShinyHunters?

ShinyHunters has been on a rampage. They're part of the "Scattered LAPSUS$ Hunters" collective that's hit dozens of major organizations in the past year.

Recent ShinyHunters victims include:

  • Grubhub (January 2026), active extortion
  • TransUnion (via Salesforce supply chain)
  • 100+ companies (Okta SSO campaign)
  • SoundCloud: 29.8 million records
  • Panera Bread: 5.1 million records

Their playbook: steal data, demand ransom, publish everything when victims refuse to pay. They monetize both ways: extortion and selling data on dark web markets.

Why Universities Are Easy Targets

Universities are data goldmines with weak security. They hold:

  • Decades of alumni records with current contact info
  • Detailed financial profiles of donors
  • Research data and intellectual property
  • Student records protected by FERPA
  • Healthcare data from campus clinics

But their security often lags behind corporate standards. The InfoStealers post-mortem identified critical failures:

  • Bypassable multi-factor authentication (push notifications instead of hardware keys)
  • Centralized cloud platforms without zero-trust architecture
  • No phishing-resistant MFA like FIDO2 or hardware security keys
  • Administrative staff without adequate security training

Harvard and UPenn aren't alone. The Cl0p ransomware group hit both schools through an Oracle vulnerability in late 2025. Universities are getting hit from every direction.

If You're in the Data

Anyone connected to Harvard or UPenn (alumni, donors, parents, prospective students) should assume their data is compromised.

Expect Targeted Scams

Attackers now have your name, contact info, and donation history. Watch for convincing phishing targeting wealthy alumni or fake charity solicitations.

Freeze Your Credit

With addresses, phone numbers, and biographical data, identity theft is possible. Freeze credit at all three bureaus for free.

Change Passwords

If you have accounts with either university, change passwords immediately. Use unique passwords and a password manager.

Enable Hardware MFA

Push notification MFA failed here. Use hardware security keys (YubiKey, Google Titan) where possible.

If you're a major donor flagged on the "top donors" list, you're now a high-value target. Consider identity monitoring services and be extremely skeptical of any contact claiming to be from the universities.

The Pattern Here

Vishing is becoming the preferred attack vector because it bypasses technical controls. You can have the best firewalls in the world, but one phone call to an admin assistant who approves a fake MFA request and it's over.

ShinyHunters called their way into two of America's most prestigious universities. They walked out with 2.2 million records. Both schools refused to pay. Now that data is on the open internet.

If you gave money to Harvard or UPenn in the last decade, someone now knows exactly how much. They know where you live, how to reach you, and what you're worth to the university. Act accordingly.

References

  1. TechCrunch - Hackers publish personal information stolen during Harvard, UPenn data breaches (February 4, 2026)
  2. InfoStealers - A Technical and Ethical Post-Mortem of the Feb 2026 Harvard University ShinyHunters Data Breach
  3. Bank Info Security - Harvard, UPenn Data Leaked in ShinyHunters Shakedown (February 2026)
  4. Daily Dark Web - ShinyHunters Breaches Harvard and UPenn: Millions of Records Exposed
  5. TechNadu - ShinyHunters Claims Breach of Harvard and UPenn Data (February 2026)