Harvard and UPenn Refused to Pay Hackers—Now 2 Million Records Are Public

If you're a Harvard or UPenn alumnus, current student, donor, or even a family member of someone connected to these universities, your personal information may now be available on criminal forums.

On February 4, 2026, the prolific cybercrime group ShinyHunters published more than 2 million records stolen from Harvard University and the University of Pennsylvania. The dump came after both institutions refused to pay ransom demands—a principled stance that came with a steep price for the people whose data was exposed.

The breaches, which occurred in November 2025, targeted the universities' fundraising and alumni engagement systems. TechCrunch verified portions of the dataset by matching records against public information and confirming details with affected alumni.

What Data Was Stolen

The leaked data is unusually detailed, targeting the universities' donor and alumni relations databases. According to Harvard's disclosure, the stolen information includes:

• Email addresses: Personal and professional contacts
• Phone numbers: Direct lines to high value targets
• Home and business addresses: Physical locations of donors and alumni
• Event attendance records: Revealing social connections and interests
• Donation details: Including "top donor" designations
• Biographical information: Used for fundraising targeting
• Family relationships: Spouses, widows, parents, and prospective students
• Admissions data: Current students and applicant information

The inclusion of "top donor" lists is particularly concerning. Wealthy individuals already face elevated risk of targeted scams, and this data provides criminals with a ready made list of high net worth targets along with their contact information and giving history.

How the Breach Happened

According to security researchers, ShinyHunters gained access through social engineering and voice phishing (vishing) attacks targeting alumni and development office staff in November 2025. This attack vector is becoming increasingly common—criminals impersonate IT support or university officials over the phone to trick employees into revealing credentials or installing malware.

Once inside the alumni systems, the attackers exfiltrated data over several weeks before the universities detected the intrusion. ShinyHunters then attempted to extort both institutions, threatening to publish the data unless ransom demands were met.

Both Harvard and UPenn refused to pay—a decision aligned with FBI recommendations but one that guaranteed the data would be published.

Who Is ShinyHunters?

ShinyHunters is one of the most prolific cybercrime groups currently operating. The group has been linked to dozens of high profile breaches including attacks on Microsoft GitHub repositories, Tokopedia, and Mashable. They typically focus on data theft and extortion rather than ransomware encryption.

The group operates across multiple platforms, maintaining both a presence on criminal forums and a dedicated leak site where they publish stolen data from victims who refuse to pay. Their Harvard and UPenn data was published on this leak site, making it accessible to any criminal willing to look.

Why University Data Is Valuable

Elite university databases are goldmines for criminals for several reasons:

Wealthy targets: Donor lists identify high net worth individuals who can afford to lose significant sums to well crafted scams.

Trust relationships: Alumni often respond to communications appearing to come from their alma mater. Phishing emails impersonating Harvard or UPenn will have unusually high success rates against this population.

Family connections: The inclusion of spouses, parents, and prospective students allows criminals to craft multi generational scams—contacting parents about their children's "tuition issues" or reaching students about "scholarship opportunities."

Professional networks: Ivy League alumni networks are tightly connected. Compromising one person's trust can open doors to their entire professional circle.

What to Do If You're Affected

If you have any connection to Harvard or UPenn—as a student, alumnus, donor, staff member, or family member—take these precautions:

• Be extremely suspicious of university communications: Criminals will impersonate Harvard and UPenn in phishing campaigns. Don't click links in emails claiming to be from these institutions. Instead, go directly to official websites or call published phone numbers.
• Watch for family member scams: If your family relationships were exposed, expect scams targeting your relatives as well. Warn family members to verify any unexpected communications about university matters.
• Monitor financial accounts: High net worth individuals should watch accounts closely for unauthorized activity, especially for wire transfers or investment account changes.
• Be wary of phone calls: The same vishing techniques that breached these universities will be used against you. Never provide personal information to unexpected callers, even if they seem to know details about you.
• Update security on related accounts: Any account using your university email address or that might share passwords should have credentials changed and two factor authentication enabled.

The Bottom Line

Harvard and UPenn made the right call by not paying ransom—paying only encourages more attacks. But for the 2 million people whose data is now public, the principled stand offers little comfort.

If you're connected to either university, the scams are coming. Criminals now have your contact information, your donation history, and your family relationships. They'll use this information to craft convincing attacks targeting you and your loved ones. Stay vigilant, verify everything, and warn your family to do the same.