Infamous cybercrime group ShinyHunters has confessed to last year’s breaches at Harvard University and the University of Pennsylvania (UPenn), releasing over a million records from each on its extortion site.
The Wednesday dump aims to shame the institutions into paying up. TechCrunch partly verified the files against alumni and public records.
UPenn confirmed in November 2025 a breach hitting “a select group of information systems related to Penn’s development and alumni activities.” Hackers sent taunting emails from official addresses and blamed social engineering tricks.
They mocked affirmative action, writing, “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.” ShinyHunters has no known political bent and dodged follow-up questions.
Harvard later admitted a voice phishing hit on alumni systems. Stolen data covered emails, phones, addresses, event attendance, donations, and biographical details for fundraising.
The leaked files match both schools’ descriptions. ShinyHunters acted after ransom refusals, per its usual steal-threaten-dump routine.
UPenn spokesman Ron Ozio said, “the university is analysing the data and will notify any individuals if required by applicable privacy regulations.” Harvard stayed silent.
The group’s 2025 rampage struck nearly 1,000 firms via Salesforce flaws, exposing elite targets’ soft spots in supply chains and staff training.