University of Pennsylvania Breach - 623K Accounts Exposed

Overview

In October 2025, attackers breached the University of Pennsylvania’s systems and exfiltrated a database containing 623,750 donor records. After the University did not meet a ransom demand, the attackers published the full dataset online in February 2026. Before publication, they also sent inflammatory emails to some victims, escalating the harassment beyond data theft. The breach was added to Have I Been Pwned (HIBP), allowing affected individuals to check their exposure.

What Was Exposed

The stolen database includes the following personal information for donors:

• Full Names
• Email Addresses
• Physical Addresses
• Genders

While this dataset does not include Social Security numbers, financial account details, or credit cards - which would have elevated the risk to a critical level - the combination of name, email, and physical address is still dangerous. It enables identity fraud, social engineering, and targeted harassment.

The Attacker

The attackers issued a ransom demand after the breach. When the University refused to pay, they carried out a punitive escalation: sending inflammatory messages to some victims, then publishing the entire database on the dark web in February 2026. This dual tactic - extortion plus harassment - is increasingly common among ransomware groups seeking to pressure organizations into paying. The group has not been publicly identified, but their behavior aligns with the “shame and leak” model used by groups like Clop or LockBit.

Account Takeover Risks

Donors are at risk of credential-stuffing attacks. Many people reuse passwords across personal email and philanthropic portals. With email addresses now public, attackers can attempt to log into accounts at other institutions - including UPenn’s giving portal - using passwords from past breaches. If a donor used the same email and password at a different charity or organization, that account is now exposed.

What to Do Right Now

1. Check if you’re affected. Visit Have I Been Pwned and search your email. If your address appears in this breach, take the actions below.

2. Change your UPenn-related passwords. If you have a donor portal account, log in and update your password immediately. Use a unique, complex password that you do not reuse elsewhere.

3. Enable two-factor authentication (2FA) on your donor account and, where possible, on the email account you used for UPenn communications. This prevents attackers from accessing your account even if they have your password.

4. Watch for phishing emails. Attackers have already sent inflammatory messages to some victims. Expect additional phishing attempts claiming to be from UPenn, third-party charities, or security firms. Do not click links or open attachments in unsolicited messages.

5. Freeze your credit. Although SSNs were not exposed, having your name and address in a breach is a common precursor to identity theft. Place a free credit freeze with Equifax, Experian, and TransUnion.

Security Insight

This breach underscores a painful reality for universities: donor databases are treasure troves for attackers, yet they are often secured less rigorously than student or medical records. UPenn’s refusal to pay the ransom is the correct stance - but the four-month gap between the October 2025 breach and the February 2026 publication means affected donors were left in the dark for months. Going forward, institutions must treat donor data with the same urgency as student data, including mandatory breach notification within 72 hours and immediate credential resets for all affected individuals. For broader context on how universities are increasingly targeted in cybersecurity news, this case fits a troubling pattern of higher-education data breaches that prioritize student records over donor information - a mistake that costs institutions trust, money, and reputations.

Further Reading

• All High Breaches
• Recent Data Breaches