A notorious cybercrime group has claimed responsibility for last year’s data breaches at Harvard University and the University of Pennsylvania and has now published what it says are vast troves of stolen records from both institutions.
The hacking group, known as ShinyHunters, on Wednesday released datasets it claims contain more than one million records from each university on its leak site, a platform typically used to pressure victims into paying ransom.
The development follows confirmations by both universities in November that their systems had been compromised. The University of Pennsylvania had disclosed a breach affecting what it described as a select group of information systems linked to development and alumni activities.
At the time, the hackers escalated the incident by sending emails to alumni directly from official university email addresses, publicly announcing the breach. The university attributed the incident to social engineering, a technique in which attackers impersonate trusted figures to deceive victims into granting access or taking harmful actions.
In its breach disclosure, which has since been taken offline, UPenn did not specify the exact nature of the data taken, stating only that systems tied to alumni and development operations were accessed.
TechCrunch later verified portions of the leaked dataset by cross checking information with alumni and public records, including student identification numbers, lending credibility to the hackers’ claims.
Harvard University also confirmed a breach around the same period, attributing it to a voice phishing attack. This method involves deceiving targets through phone calls into clicking malicious links or opening infected attachments.
According to Harvard, the compromised data included email addresses, phone numbers, residential and business addresses, records of event attendance, donation histories, and other biographical details connected to fundraising and alumni engagement.
The data published by ShinyHunters appears consistent with the categories of information both universities acknowledged were accessed during the attacks, according to a review by TechCrunch.
The hackers claimed they released the data after both universities refused to pay ransom demands. Groups like ShinyHunters often attempt to extort victims by threatening to publish stolen information, following through when payments are declined.
During the UPenn breach, the hackers attempted to frame their actions in political language, criticising affirmative action policies in a message sent to alumni. However, ShinyHunters is not known to operate with ideological motives and did not respond to questions seeking clarification on the inclusion of that language.
A spokesperson for the University of Pennsylvania, Ron Ozio, said the institution is analysing the published data and will notify affected individuals if required under applicable privacy regulations.
Harvard University did not respond to requests for comment, as concerns continue to mount over data security, institutional preparedness, and the growing sophistication of cybercriminal operations targeting academic institutions.