The University of Pennsylvania has confirmed a cybersecurity breach that compromised systems tied to its alumni and donor operations, after attackers accessed internal platforms and sent inflammatory mass emails to students and alumni.
The intrusion, which the university attributes to a social engineering attack, may have resulted in the theft of up to 1.2 million donor records.
The University of Pennsylvania is a prominent Ivy League institution with a global alumni base and extensive donor network. Its development office oversees major fundraising campaigns and maintains records on hundreds of thousands of contributors.
The incident was first publicly visible on October 31, 2025, when Penn students and alumni received offensive emails from legitimate university email addresses. The messages, sent via connect.upenn.edu, a mailing system hosted on Salesforce Marketing Cloud, claimed that the university had been hacked and that donor and alumni data had been stolen. The emails included inflammatory language attacking Penn’s admissions policies and institutional integrity.
The university confirmed the breach later that day and launched an investigation with assistance from the FBI and cybersecurity firm CrowdStrike. Penn attributed the compromise to identity impersonation through social engineering, which allowed attackers to obtain valid employee credentials and gain access to Penn’s internal systems.
According to Penn’s disclosure, the breached systems were part of its development and alumni engagement infrastructure. These included:
- Salesforce CRM — managing donor and alumni data
- SharePoint and Box — cloud-based document repositories
- QlikView — a business intelligence platform
- Marketing Cloud — used for mass email communications
While Penn has not confirmed the scope of data exfiltrated, the attackers claimed in a statement to BleepingComputer that they accessed detailed records of approximately 1.2 million individuals. The stolen data allegedly includes names, contact information, estimated net worth, donation history, and sensitive demographic attributes such as religion, race, and sexual orientation.
The threat actor stated they accessed Penn systems on October 30 and completed data extraction by October 31, when their access was cut off. Following the lockout, they used lingering access to Marketing Cloud to distribute the mass emails to an estimated 700,000 recipients.
Screenshots and partial data sets were shared with reporters and published online to support the attacker’s claims. A 1.7-GB archive of internal files, allegedly pulled from Penn’s SharePoint and Box, has also been leaked.
In the wake of the attack, Penn says it has restored all affected systems and implemented additional monitoring and authentication safeguards. The university is also rolling out enhanced training to reduce the risk of future social engineering attacks.
While no evidence suggests that medical records or Penn Medicine systems were affected, the university has not ruled out the exposure of personal data tied to donors or alumni. Penn has committed to notifying individuals if their information is found to be part of the breach.
Given the potential scope of the data theft, Penn advises all members of its community to be cautious of phishing attempts, especially those requesting credentials or soliciting donations. Recipients should verify communications independently before taking any action.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
