Extortion group ShinyHunters has released datasets allegedly containing over 1 million records from Harvard University and 1.2 million records from the University of Pennsylvania, claiming they include personal and donor data. Security researchers warn about private lives and intimate institutional strategies exposed.
On February 4th, ShinyHunters publicly dumped two massive datasets with data allegedly stolen from two major universities.
It claims to have obtained over 1 million records with personally identifiable information and donation data from Harvard University. The size of the compressed dataset is 1.1GB. Meanwhile, the 438 Mb of stolen data from the University of Pennsylvania allegedly contains 1.2 million records.
ShinyHunters is a notorious threat actor behind recent breaches at Bumble, Match Group (which operates Hinge, Match, and OkCupid), Crunchbase, and other major companies. Google recently alerted about “a significant expansion and escalation” in the gang’s operations involving voice phishing to steal credentials.
Hudson Rock, a cybersecurity firm, confirms that data from Harvard contains 115,000 sensitive records from the Affairs and Development (AAD) department
“This incident is not merely a leak of names; it is a collapse of institutional data sovereignty. It exposes the private lives, financial liquidity, and intimate institutional strategies governing the world’s most influential academic donor base,” the researchers write in the technical report on the incident.
What happened?
Harvard University discovered the data breach on November 18th, 2025. Like many other ShinyHunter victims, the institution was attacked using a phone-based phishing attack, also known as vishing.
“Information systems used by Alumni Affairs and Development were accessed by an unauthorized party as a result of a phone-based phishing attack,” the university confirmed last year.
The University of Pennsylvania (UPenn) has also confirmed the incident last year and claimed that hackers overstated the number of affected people. While ShinyHunters claims 1.2 million records, the Philadelphia Inquirer reports that the breach “actually impacted fewer than 10 people, according to a legal filing in a proposed class action lawsuit.”
What’s in Harvard University’s data?
The university also said that the information systems, accessed by attackers, do not generally contain Social Security numbers, passwords, payment card information, or financial account numbers.
“They do include personal information such as email addresses, telephone numbers, home and business addresses, event attendance, details of donations to the University, and other biographical information pertaining to University fundraising and alumni engagement activities,” the statement reads.
“This also includes information about fundraising matters, donors, and communications between alumni and donors and the University.”
However, the leak contains extensive relational and biographical data, affecting alumni, spouses, parents, widows/widowers of alumni, donors, some current students, their parents, faculty, and staff.
“The 115,000 exfiltrated records represent a comprehensive census of the university’s human capital. The data structure reveals that the university tracks far more than just alumni,” Hudson Rock’s report reads.
The researchers found that Harvard University tracks people loosely connected to the institution through executive education or specific programs.
“The data maps the ‘social graph’of these individuals, identifying family members, wealth bands, and domestic intimacy.”
Wealth and contact information for prominent donors are exposed in the dataset. The university lists the “Lifetime Recognition Amount” of Mark E. Zuckerberg at approximately $604 million, followed by Michael R. Bloomberg ($422 million) and Steven A. Ballmer ($102 million).
“Perhaps the most damaging aspect of the leak is the exposure of the synchronization between fundraising and admissions,” the report notes.
“Internal documents reveal the existence of ‘Admissions Pauses’ or ‘Holds’ – formal administrative triggers that halt solicitation while a family member is a prospective student.”
Exposed internal notes reveal that the university used to align programs with Bill Gates’ interests as a tool for donor retention. Legal agreements reveal details about payment schedules and clauses that would allow for cessation.
“The ShinyHunters breach demonstrates that the most valuable data is no longer just credit card numbers, but the metadata of influence. By centralizing admissions statuses, wealth ratings, and private family hierarchies into cloud-based platforms protected by bypassable MFA, institutions have created a single point of failure,” Hudson Rock researchers conclude.
Excercise caution
Harvard University warned affected individuals to be on alert for any unusual or suspicious communications referencing the incident, data, or purporting to come from the university.
“Be especially cautious with unexpected calls, text messages, or emails requesting sensitive information or asking you to reset your password, even if they appear to come from colleagues or trusted partners,” the university said.
“Do not respond to the message, do not click any links or download any attachments, and do not follow any instructions provided before you are able to verify if the message is legitimate.”
Cybernews reported last year about another cybersecurity incident that affected the university – Cl0p, a notorious ransomware gang, leaked data stolen from the compromised instance of Oracle’s E-Business Suite.
Your email address will not be published. Required fields are markedmarked