A hacker has taken responsibility for last week’s University of Pennsylvania “We got hacked” email incident, saying it was a far more extensive breach that exposed data on 1.2 million donors and internal documents.
On Friday, University of Pennsylvania alumni and students began receiving multiple offensive emails from Penn.edu addresses claiming the university had been hacked and data stolen.
“The University of Pennsylvania is a dog**** elitist institution full of woke retards. We have terrible security practices and are completely unmeritocratic,” reads the email sent to Penn alumni and students.
“We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits. We love breaking federal laws like FERPA (all your data will be leaked) and Supreme Court rulings like SFFA.”
BleepingComputer confirmed the emails originated from connect.upenn.edu, a Penn mailing list platform hosted on Salesforce Marketing Cloud. The university downplayed the incident, describing the messages as “fraudulent emails” that were “obviously fake.”
However, the threat actor behind the attack contacted BleepingComputer, claiming the intrusion was far broader and that they had gained access to multiple university systems.
The hacker said their group “gained full access” to an employee’s PennKey SSO account, allowing access to Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files.
They said they exfiltrated data for roughly 1.2 million students, alumni, and donors, including names, dates of birth, addresses, phone numbers, estimated net worth, donation history, and demographic details such as religion, race, and sexual orientation.
The threat actors shared screenshots and data samples with BleepingComputer and posted them online to prove that they had indeed accessed these systems and stolen data from Penn.
The attackers told BleepingComputer they breached Penn’s systems on October 30th and completed data downloads by October 31st, when the compromised employee account was locked and access lost.
After discovering their access had been revoked, the hacker said they still had access to Salesforce Marketing Cloud and used it to send the offensive mass email to roughly 700,000 recipients.
When asked whether the credentials were stolen via an infostealer or phishing, the hacker declined to elaborate, saying the intrusion was simple and caused by Penn’s security lapses.
The hacker has since published a 1.7-GB archive containing spreadsheets, donation materials, and other files allegedly taken from Penn’s SharePoint and Box systems.
The attacker told BleepingComputer they were not extorting the university, saying, “We don’t think they’d pay, and we can extract plenty of value out of the data ourselves.”
When asked about their motivation, the hackers said the attack was not political but aimed at obtaining Penn’s donor database.
“While we’re not really politically motivated, we have no love for these nepobaby-serving institutions,” the hackers told BleepingComputer.
“The main goal was their vast, wonderfully wealthy donor database.”
The donor database has not yet been leaked, though the threat actors claim they may release it in a month or two.
When contacted with these claims, the University of Pennsylvania told BleepingComputer, “We are continuing to investigate.”
What Penn donors should do
With a large amount of donor data now exposed, Penn donors should stay vigilant against targeted phishing or social engineering attempts.
Attackers could use the stolen information to impersonate the university, solicit fraudulent donations, or gain access to donor credentials to breach their online accounts.
Recipients should treat unexpected messages about donations with suspicion and verify their legitimacy directly with Penn before responding.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.
