A criminal hacking group publicly released large datasets purportedly stolen from Harvard University and the University of Pennsylvania, according to reports on February 5, 2026. The extortion group ShinyHunters posted millions of records on an online forum, claiming they include personal information and internal data from the two institutions.
ShinyHunters said the leak contains more than 1 million records from Harvard’s systems, including data tied to fundraising and alumni relations, and roughly 1.2 million records from Penn’s systems that it alleges cover students, alumni, and donors. The data reportedly includes email addresses, telephone numbers, home and business addresses, and other biographical information. Neither university has publicly verified the full scope of records released.
Harvard disclosed in November 2025 that its networks used by the Alumni Affairs and Development office had been accessed by an unauthorised party after a phone-based phishing attack. Officials said the compromised systems did not generally store Social Security numbers, passwords, payment card information, or financial account numbers, but did contain personal contact details and details of donations and event attendance. Harvard said it acted quickly to remove the attacker’s access and is continuing to investigate the incident with external experts and law enforcement.
The University of Pennsylvania confirmed a separate breach in late 2025, although it disputed the number of affected people claimed by ShinyHunters. Local reports cited a legal filing indicating that the breach impacted fewer than 10 individuals, in contrast with the claim of more than 1.2 million records. In the Penn case, fraudulent emails were sent from university addresses after the attackers had accessed internal systems, and the university notified the FBI while examining the breach with cybersecurity specialists.
Security researchers and analysts emphasise caution when assessing dark web data dumps, noting that claims on criminal forums are often unverified and may include fabricated or misleading files intended to attract attention or extortion payments. In past incidents, ShinyHunters has posted or sold alleged stolen data from high-profile companies, and not all assertions have been confirmed as legitimate.
Both universities have issued guidance to affected communities, advising vigilance against phishing and other suspicious communications that reference the leaked information, and are working to determine the extent of any exposure and to strengthen their security controls. Law enforcement agencies are engaged in the investigations, and both institutions continue to communicate with cybersecurity partners as the incidents unfold.