ShinyHunters Publishes Stolen Harvard, UPenn Data

The notorious cybercrime group ShinyHunters has claimed responsibility for last year's data breaches at Harvard University and the University of Pennsylvania (UPenn), publishing what it asserts are over one million records from each institution on its extortion website. The group stated that the data was released after the universities reportedly refused to pay a ransom.

On Wednesday, ShinyHunters made the stolen information public on its dedicated leak site, a platform typically used by the gang to pressure victims into paying. The published data reportedly includes sensitive personal details related to alumni and fundraising activities from both universities.

UPenn confirmed a data breach in November, which affected "a select group of information systems related to Penn’s development and alumni activities." At the time, hackers even sent emails to alumni from official university addresses, announcing the hack. The university attributed the breach to social engineering, a tactic where attackers manipulate individuals into divulging confidential information or performing actions they wouldn't normally. In its official breach disclosure web page, which has since been taken offline, UPenn did not specify the exact type of data stolen, simply stating that cybercriminals accessed "systems related to Penn’s development and alumni activities." TechCrunch verified a portion of the dataset by confirming with alumni and public records, such as matching the data against student ID numbers.

Later in November, Harvard University also acknowledged a breach within its alumni systems. Harvard said the incident was caused by a voice phishing attack, meaning hackers used voice calls to trick targets into clicking malicious links or opening attachments. The university disclosed that the compromised data included email addresses, phone numbers, home and business addresses, event attendance records, details of donations to the university, and other biographical information pertinent to its fundraising and alumni engagement efforts.

The data published by ShinyHunters, which TechCrunch has reviewed, appears to match the type of information both universities previously confirmed as stolen. Cybercriminals like ShinyHunters often employ this tactic: demanding payment to prevent the publication of stolen data, and releasing it online if the ransom is not met.

During the UPenn breach, the hackers initially presented what appeared to be political motives, expressing discontent with affirmative action policies in an email sent to alumni. The message read:

"We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits."

However, ShinyHunters is not typically known for political motivations, and the group did not respond to inquiries regarding this specific language.

Penn spokesperson Ron Ozio informed TechCrunch that the university is "analyzing the data and will notify any individuals if required by applicable privacy regulations." Harvard University did not provide a comment when contacted.