Harvard and UPenn Data Dumped Online After Universities Refuse Ransom

It seems like these days, data leaks happen almost on a daily basis. But while more often than not, the hackers target big corporations, it seems that nothing is really off the table.

On Wednesday, the notorious hacking group ShinyHunters made good on their threat. After Harvard and UPenn both refused to pay up after being hacked at the end of last year, the hackers published what they claim are over 2 million records from the two Ivy League schools on their dark web leak site.

This isn't some random community college getting hit because they're running Windows XP. These are two of the most prestigious, well-funded universities in the world, and they still got played by a phone call.

ShinyHunters Leaks Over 2 Million Records

The data dump happened because both universities followed the procedure and refused to pay the ransom. That's the official security advice, after all. Don't negotiate with cybercriminals. But the thing about this advice is that it doesn't make your data any less compromised.

ShinyHunters claims they've released over 1 million records from each school. Harvard's leak includes email addresses, phone numbers, home and business addresses, donation details, and biographical information tied to their fundraising operations. UPenn's haul is similar – about 1.2 million records from donor databases, plus thousands of internal documents, including memos about wealthy donor families and their giving patterns.

The breaches originally happened back in November 2025, but the hackers only now published everything after ransom negotiations fell through. After portions of the data have been verified by cross-referencing it with alumni information and public records, there’s no question left about the legitimacy of this matter.

During the UPenn breach, the attackers even sent mass emails from official university addresses, throwing in some inflammatory political language about admissions policies. Of course, in reality, it was nothing more than a classic distraction tactic, as ShinyHunters is widely known to be in it for the money.

Social Engineering Strikes Elite Universities

The thing about this that gets me the most is that all it took was someone picking up a phone and tricking the right person. There was no elaborate hacking needed.

UPenn blamed their breach on social engineering. Basically, hackers impersonate someone trustworthy and convince employees to hand over credentials. Harvard was more specific, pointing to a voice phishing (vishing) attack. That's when attackers call you up, pretend to be IT support or some other authority figure, and walk you through "fixing a problem" that actually gives them access to everything.

Security experts say ShinyHunters has been running an active vishing campaign, targeting IT help desks to gain direct access to organizations' identity systems and single sign-on portals. Yet, nobody ever seems to think that this might happen to them until it does.

Once they're in, they grab whatever they can from software-as-a-service applications before anyone notices. In this case, they had access to Salesforce donor management systems, SharePoint document storage, and other internal tools. They get locked out eventually, but not before exfiltrating millions of records.

No Institution Is Safe From Hackers

The education sector is getting hammered right now. During Q2 2025, universities faced an average of 4,388 cyberattacks per week, making for a 31% year-over-year increase. That's more than double the global average across all sectors.

Universities are attractive targets because they're sitting on treasure troves of personal information, including decades of alumni data, donor information, and valuable research. They're also notoriously decentralized, with rotating student staff, sprawling vendor ecosystems, and a culture of openness that doesn't always mesh well with strict security protocols.

The Harvard and UPenn leaks prove something I've been saying for a while: technical defenses are crucial, but they only get you so far if you don’t understand the threats you’re dealing with. You can have the best firewalls, the most sophisticated intrusion detection, and enterprise-grade encryption. But if someone can convince your help desk to give them access with a five-minute phone call, none of that matters.

The universities are "analyzing the data" and will notify affected individuals "where required by law." That's corporate speak for "we're figuring out how bad this really is." Meanwhile, the people whose information got leaked are left wondering what comes next.