When Billionaires Become the Breach: Inside the ShinyHunters Attack on Harvard's Donor Database

Breached Company

Breached Company

19 min read
When Billionaires Become the Breach: Inside the ShinyHunters Attack on Harvard's Donor Database

A comprehensive analysis of how voice phishing led to one of higher education's most consequential data exposures—and why 115,000 affected individuals may never be officially notified.

The Attack That Exposed America's Wealthiest Donors

On February 4, 2026, the cybercriminal syndicate ShinyHunters made good on a threat that had been looming since November 2025. After failed ransom negotiations with Harvard University, the group published approximately 115,000 sensitive records from the university's Alumni Affairs and Development (AAD) databases—a trove of information that reads like a who's who of American wealth and power.

ShinyHunters Triple Strike: How Okta Impersonators Breached Crunchbase, SoundCloud, and Betterment
A coordinated social engineering campaign targeting single sign-on credentials demonstrates that the human factor remains cybersecurity’s weakest link Executive Summary In January 2026, the notorious ShinyHunters cybercrime group executed a sophisticated social engineering campaign that breached three major technology platforms—Crunchbase, SoundCloud, and Betterment—by impersonating Okta cybersecurity employees. The
Breached CompanyBreached Company

The leaked data wasn't just names and email addresses. It was a comprehensive "relationship census" that exposed the private lives, financial liquidity, and intimate institutional strategies governing the world's most influential academic donor base. The breach laid bare donation histories, wealth ratings, home addresses, and internal fundraising strategies for individuals including Meta CEO Mark Zuckerberg ($603 million in lifetime donations), former New York City Mayor Michael Bloomberg ($422 million), and Microsoft executive Steve Ballmer ($102 million).

"This incident is not merely a leak of names," wrote Alon Gal of InfoStealers, who analyzed the breach extensively. "It is a collapse of institutional data sovereignty. It exposes the private lives, financial liquidity, and intimate institutional strategies governing the world's most influential academic donor base."

For Harvard—an institution whose $50+ billion endowment is built on cultivating relationships with the ultra-wealthy—the breach represents a fundamental violation of the trust that makes major gift fundraising possible. For the affected donors, it creates an unprecedented fraud risk: their wealth ratings, personal contact information, and family details are now available to any criminal willing to look.

RHYSIDA Ransomware Strikes Again: ‘Leading Edge Speciali’ Added to Leak Site as Group’s Relentless Campaign Continues
The notorious ransomware group with ties to Vice Society claims another victim as security experts warn of accelerating attacks into 2026. In the early morning hours of February 6, 2026, the RHYSIDA ransomware group updated their dark web leak site with a new victim: an organization identified only as “Leading
Breached CompanyBreached Company

Timeline of a Sophisticated Attack

The Harvard breach didn't happen in isolation. It was part of a coordinated campaign by ShinyHunters that targeted multiple Ivy League institutions within weeks:

The Wave of Attacks

Date Target Records Attack Vector
Late October 2025 University of Pennsylvania 1.2 million Vishing/SSO compromise
November 10, 2025 Princeton University Unknown Vishing/donor database
November 18, 2025 Harvard University 115,000 Vishing/AAD systems

Harvard-Specific Timeline

November 18, 2025 - Discovery
Harvard's security team detected unauthorized access to the Alumni Affairs and Development systems. According to the university's incident response, they immediately revoked the attackers' access and engaged third-party cybersecurity experts.

November 22, 2025 - Initial Notification
Harvard sent emails to individuals with records in the affected systems, acknowledging the breach without providing specific details about what had been compromised. The notification was notably vague, stating that affected systems "generally did not contain" Social Security numbers, passwords, or payment card information.

December 19, 2025 - Last FAQ Update
Harvard's HUIT (Harvard University Information Technology) cyber incident page received its final update. The FAQ provided general information about the breach but offered no timeline for individual notifications or specific details about the data exposed.

Late January 2026 - Ransom Negotiations Fail
ShinyHunters, having stolen data from both Harvard and UPenn, attempted to extort both institutions. Both universities refused to pay. A new ShinyHunters data leak site (DLS) emerged, signaling the group's intent to publish.

February 4, 2026 - Data Published
ShinyHunters released the Harvard and UPenn datasets on their dedicated leak site. TechCrunch verified portions of both datasets, confirming the authenticity of the exposed information.

February 5, 2026 - Media Verification
Security researchers and journalists began analyzing the leaked data, discovering the extent of sensitive information exposed—including the controversial "admissions holds" documentation and detailed wealth profiles.

Salt Typhoon Expands to Norway: China’s Telecom Hackers Are Now a Global Threat
A Nation-State APT That Breached 9 US Carriers Is Operating in Allied Nations. Here’s What Your Organization Needs to Know—and Do—Right Now. Executive Summary: This Is Not Just Norway’s Problem On February 6, 2026, Norway’s Police Security Service (PST) publicly confirmed what security professionals have feared: Salt Typhoon—
Breached CompanyBreached Company

The Attack Vector: Voice Phishing in the Age of AI

Understanding how ShinyHunters breached Harvard requires understanding the evolution of social engineering in 2025-2026. Unlike traditional cyberattacks that exploit software vulnerabilities, this attack exploited the identity layer—the human beings responsible for managing access to systems.

How the Attack Likely Unfolded

According to security analysts at Google/Mandiant who track ShinyHunters (designated UNC6040/UNC6240/UNC6661), the group has refined a sophisticated voice phishing methodology that bypasses even multi-factor authentication:

Step 1: Target Identification
Attackers identify administrative staff with access to high-value systems—in Harvard's case, employees in Alumni Affairs and Development who could access donor databases.

Step 2: The Call
Using spoofed caller ID (and potentially AI-generated deepfake voices), attackers impersonate IT support staff, identity vendors like Okta, or even university executives. The calls are convincing because attackers often gather preliminary intelligence through LinkedIn, the university directory, and previous data breaches.

Step 3: The Typosquatted Portal
Victims are directed to a domain that looks nearly identical to Harvard's legitimate Single Sign-On (SSO) portal—something like "harvardsso.com" or "my-harvard-okta.com." These domains are registered through registrars like NICENIC or Tucows, which ShinyHunters has historically used.

Step 4: Real-Time Credential Theft
Here's where the attack becomes truly sophisticated. Using a Man-in-the-Middle (MitM) architecture, attackers capture credentials in real-time. When the victim enters their username and password, the attacker simultaneously enters those same credentials on the legitimate Harvard portal.

Step 5: MFA Bypass
When Harvard's systems send an MFA challenge, the attacker convinces the victim to either:

  • Approve a push notification ("Please confirm the login we're troubleshooting")
  • Read aloud their one-time password
  • Navigate to their authenticator app while the attacker watches via screenshare

Once the attacker captures the MFA approval, they hijack the active session token—gaining the same access as the legitimate user without triggering security alarms.

Step 6: Lateral Movement and Exfiltration
With valid credentials and an active session, attackers move through internal systems—Microsoft 365, SharePoint, Salesforce—searching for high-value keywords like "confidential," "stewardship," "proposal," and "donor." Data is exfiltrated using tools like S3 Browser, WinSCP, and PowerShell.

Why Traditional Security Failed

Google's Threat Intelligence Group assessment is damning for organizations relying on conventional security controls:

"This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, it continues to highlight the effectiveness of social engineering and underscores the importance of organizations moving towards phishing-resistant MFA."

The problem isn't that Harvard's firewalls were weak or their software was unpatched. The problem is that push-based MFA—which Harvard, like most organizations, relies upon—can be socially engineered. When an attacker can call an employee and convince them to approve a push notification, the security control becomes meaningless.

What Was Exposed: A "Relationship Census" of Power

The 115,000 records exfiltrated from Harvard represent far more than a typical data breach. This wasn't a database of usernames and passwords. It was Harvard's institutional knowledge about its most important relationships—the intelligence that powers a $50+ billion endowment.

The Data Categories

Basic Contact Information

  • Email addresses (personal and institutional)
  • Phone numbers (including personal cell phones)
  • Home and business addresses
  • Family member contact details

Relationship Mapping

  • Spousal information
  • Children's names and educational status
  • Sibling relationships
  • Widow/widower status
  • "Social graph" connections between individuals

Financial Intelligence

  • Lifetime donation totals
  • Donation patterns and timing
  • Wealth ratings (e.g., "$5B+," "$1B-$5B," "$500M-$1B")
  • Giving capacity estimates
  • Campaign pledges and payment schedules

Engagement Records

  • Event attendance history
  • Meeting notes from development officers
  • Communication records
  • Cultivation strategies and "next steps"

Sensitive Administrative Data

  • Admissions "holds" and "pauses"
  • Internal assessments of donor interests
  • Faculty cultivation strategies for major donors
  • Department-specific solicitation notes

The "Top Donor" Files

Among the most explosive revelations were the "Top Donor" files, which exposed the financial relationships between Harvard and America's wealthiest individuals:

Individual Lifetime Recognition Wealth Rating Key Exposures
Mark E. Zuckerberg $603,679,095 $5B+ Home address, private email, spouse/sibling tracking
Michael R. Bloomberg $421,979,500 $5B+ Private Bloomberg LP emails, cell phone, NYC residential data
Steven A. Ballmer $102,409,226 $5B+ SEAS campaign targets, family foundation details
Bill Ackman Multi-million $5B+ Pershing Square Foundation agreements, payment schedules
Bill Gates Unknown $5B+ Cultivation strategies, faculty connections

The exposed Pershing Square Foundation documents, signed by Bill Ackman, revealed specific payment schedules ($200,000 annual installments over 25 years) and clauses regarding "catastrophic events" that would allow the foundation to cease payments. These legal agreements were never meant to be public.

The "Admissions Holds" Revelation

Perhaps the most politically damaging aspect of the breach was the exposure of explicit coordination between Harvard's fundraising and admissions departments. Internal documents revealed the existence of "Admissions Pauses" or "Holds"—formal administrative triggers that halt donation solicitation while a family member is a prospective student.

One example cited by InfoStealers involved Sid Kosaraju, where a pause was active for his son's senior year—even though Kosaraju had explicitly stated the son would not be applying to Harvard. The existence of such holds in fundraising databases proves that the departments tracking donors and the departments admitting students are deeply coordinated, regardless of what universities claim publicly.

In an era of intense scrutiny over legacy admissions and the role of donor status in college acceptance, these documents provide ammunition to critics who argue that elite universities maintain a "pay-to-play" system. The leak shows not just that coordination exists, but exactly how it works at an operational level.

Internal strategy notes regarding Bill Gates revealed how Harvard relies on specific faculty members to maintain donor relationships. Documents described using solar geo-engineering expert David Keith to "cast [programs] from a programmatic angle" that appeals to Gates' interests. The notes also expressed anxiety about faculty retention—not for academic reasons, but because losing key professors could mean losing their associated donors.

The Threat Actor: Understanding ShinyHunters

The group responsible for the Harvard breach isn't a traditional ransomware gang. ShinyHunters represents the evolution of cybercrime into something more sophisticated and harder to counter.

Origins and Evolution

ShinyHunters emerged around 2019-2020, initially operating as a data theft and sales operation. Early breaches targeted companies like Tokopedia, Wattpad, and Microsoft's GitHub repositories. The group sold stolen data on dark web marketplaces, treating cybercrime as a straightforward business.

By 2024, the business model shifted. Rather than simply selling data, ShinyHunters began directly extorting victims—demanding payment in Bitcoin in exchange for not releasing stolen information. The group targeted cloud environments, particularly AWS S3 buckets containing sensitive data.

The 2025-2026 period represents another evolution. ShinyHunters merged with (or absorbed) tactics and personnel from Scattered Spider and LAPSUS$, forming what some analysts call the "Scattered LAPSUS$ Hunters" collective. This merger brought sophisticated voice phishing capabilities and a focus on identity provider compromise.

Current Capabilities

Social Engineering Excellence
ShinyHunters has demonstrated the ability to convince employees at major corporations and universities to compromise their own credentials. Their vishing operations are professional, often involving multiple callers with specialized roles (initial contact, technical support, verification).

Real-Time MFA Bypass
The group's Man-in-the-Middle architecture allows them to defeat push-based and SMS-based multi-factor authentication. Only hardware security keys (FIDO2) reliably resist their techniques.

SaaS Platform Expertise
Once inside, ShinyHunters operators demonstrate deep familiarity with enterprise SaaS platforms—Salesforce, SharePoint, Microsoft 365. They know what to search for and how to extract data efficiently.

Professional Extortion
The group operates like a business, with standard extortion timelines (typically 72 hours), professional communication, and escalating pressure tactics including DDoS attacks and personnel harassment.

The Victim List

Harvard is in unfortunate company. ShinyHunters' confirmed victims include:

Target Records Year
Ticketmaster 560 million 2024
AT&T 109 million 2024
PowerSchool 62 million 2024
Santander Bank 30 million 2024
University of Pennsylvania 1.2 million 2025
Qantas 5.7 million 2025
Google Confirmed 2025
LVMH/Dior/Louis Vuitton Confirmed 2025
Pornhub 200 million 2025
Princeton University Unknown 2025
Harvard University 115,000 2025

Law Enforcement Challenges

Despite multiple arrests, ShinyHunters continues to operate:

  • May 2022: Sébastien Raoult arrested in Morocco, extradited to the US
  • January 2024: Raoult sentenced to 3 years in US prison
  • May 2025: Matthew D. Lane (19, Massachusetts) charged for PowerSchool breach
  • June 2025: Four members arrested in France

The group's decentralized structure and international composition make enforcement difficult. As one Reddit commenter noted: "They are mostly kids, and there does not appear to be formal/centralized leadership. They are also not a ransomware group in the usual sense—they aren't encrypting systems. They are breaching and then extorting."

Harvard's Response: Silence in the Face of Crisis

Harvard's handling of the breach has been marked by a notable lack of transparency. While the university took appropriate immediate technical actions, its communication with affected individuals and the public has been minimal.

What Harvard Did Right

Immediate Access Revocation
Upon discovering the breach on November 18, 2025, Harvard immediately revoked the attackers' access to compromised systems. This limited the window for data exfiltration.

Third-Party Engagement
The university engaged external cybersecurity experts to assist with investigation and remediation—standard practice for major incidents.

Law Enforcement Notification
Harvard reported the breach to appropriate law enforcement agencies, as required for incidents of this magnitude.

Basic Communication
The university established a dedicated incident page and sent an initial email notification to those with records in affected systems.

What Harvard Has Failed to Do

Individual Notifications
As of early February 2026, there's no indication that Harvard has sent individual notification letters to the 115,000+ people whose data was exposed. The university's FAQ states only that they "will assess if specific notifications are needed."

Regular Updates
Harvard's incident FAQ page was last updated on December 19, 2025—more than six weeks before the data was publicly released. There has been no substantive update since ShinyHunters published the stolen data.

Response to Media
According to TechCrunch, Harvard did not respond to requests for comment following the February 4 data release. For an institution of Harvard's resources and public relations capability, silence is a choice.

Donor Protection Guidance
The leaked data creates immediate fraud risks for high-net-worth individuals. Harvard has provided no specific guidance on how donors should protect themselves against targeted phishing or vishing attempts.

The Notification Loophole

The most troubling aspect of Harvard's response may be entirely legal. Massachusetts breach notification law only triggers when exposed data includes a name combined with:

  • Social Security number
  • Driver's license or state ID number
  • Financial account numbers

Harvard's FAQ explicitly stated that affected systems "generally did not contain" these elements. While the university holds email addresses, phone numbers, home addresses, donation histories, wealth ratings, and family relationship data for 115,000+ individuals—information with obvious fraud potential—state law may not require notifying anyone.

This creates what DataBreaches.net calls an "ethical vs. legal" dilemma:

"Even if the state laws do not require notification, should the universities notify donors 'in an abundance of caution'? What is the ethical way for the universities to deal with these breaches to protect those whose data has been acquired and to restore trust if state law does not require notification?"

For donors who have entrusted Harvard with sensitive personal information—and in many cases, with hundreds of millions of dollars—the lack of proactive notification feels like a betrayal. They may learn their data was exposed from news reports rather than from the institution they supported.

The Notification Crisis: When Law Fails to Protect

The Harvard breach exposes a fundamental gap in American data protection law. While GDPR in Europe would require extensive notification and significant potential fines, US law leaves millions of breach victims unprotected.

The Federal Gap: FERPA Doesn't Mandate Notification

The Family Educational Rights and Privacy Act (FERPA) governs student data at educational institutions. One might expect it to require notification when student data is breached. It doesn't.

According to the Department of Education: "FERPA does not require an educational agency or institution to notify students that information from their education records was disclosed."

FERPA only requires that schools record unauthorized disclosures in the student's file—an administrative box-checking exercise that provides no actual protection to affected individuals.

State Laws: Designed for a Different Era

State breach notification laws, including Massachusetts' and Pennsylvania's, were designed around credit card fraud and identity theft. They focus on data elements that enable financial fraud: Social Security numbers, account numbers, access credentials.

These laws never anticipated a world where:

  • Wealth ratings and donation histories enable targeted fraud
  • Home addresses of billionaires become valuable to criminals
  • Family relationship data enables sophisticated social engineering
  • "Cultivation strategies" reveal exactly how to manipulate high-net-worth targets

The Harvard breach exposes data that is extraordinarily valuable to criminals—but not data that triggers notification requirements.

The UPenn Precedent

The University of Pennsylvania, breached in the same campaign, allegedly told a court hearing a potential class action lawsuit that only 10 people required notification out of 1.2 million affected records.

When pressed, a UPenn spokesperson told DataBreaches.net: "We are analyzing the data and will notify any individuals if required by applicable privacy regulations."

But two days earlier, UPenn had claimed they'd already "completed a comprehensive review" and "sent notifications to the limited number of individuals whose personal information was impacted."

The university's incident webpage now returns a 404 error.

What Should Change

The Harvard breach should prompt legislators to reconsider what triggers notification requirements:

Wealth and Financial Information
Donation histories, wealth ratings, and net worth estimates should trigger notification—this data enables targeted fraud even without account numbers.

Contact Information in High-Value Contexts
Home addresses and personal phone numbers for high-net-worth individuals represent elevated risk and should require notification when breached alongside wealth indicators.

Relationship Data
Family relationship information that enables social engineering should be considered sensitive data requiring notification.

Institutional Notification Deadlines
Universities and other institutions should face specific deadlines for notifying affected individuals, not open-ended "assessment" periods that stretch for months.

Lessons for Educational Institutions

The Harvard breach, combined with the attacks on UPenn and Princeton, represents a wake-up call for higher education. These weren't attacks on obscure community colleges—they targeted some of America's most prestigious and well-resourced universities.

Immediate Technical Priorities

1. Implement Phishing-Resistant MFA
Push-based authentication and SMS codes can be socially engineered. FIDO2 security keys and passkeys cannot. Every institution with valuable data should be migrating to hardware-based authentication for high-privilege accounts.

2. Vishing Awareness Training
IT help desk staff are prime targets for voice phishing. Train them specifically on:

  • Never trusting caller ID (easily spoofed)
  • Callback verification procedures (call the person back at their known number)
  • Recognition of pressure tactics and urgency claims
  • Protocols for escalating suspicious calls

3. SSO Monitoring
Alert on anomalous activity in identity systems:

  • New MFA device registrations
  • Suspicious OAuth authorizations
  • Deletion of security notification emails
  • Login from unusual locations or devices

4. Data Minimization
Review what donor data is actually needed. Do wealth ratings need to be in systems accessible to dozens of staff? Can relationship data be segmented? The more data centralized in accessible systems, the bigger the potential breach.

Systemic Issues in Higher Education

Decentralized IT
Universities often have fragmented IT environments, with different schools, departments, and programs running their own systems. This creates multiple weak points that attackers can target.

Budget Constraints
Despite massive endowments, universities often underinvest in cybersecurity compared to corporations with similar data sensitivity. A hospital would face massive regulatory consequences for a breach of this magnitude; a university may face none.

Cloud Expansion Without Security Investment
The shift to SaaS platforms (Salesforce, SharePoint, Microsoft 365) expands the attack surface without equivalent security investment. These platforms are only as secure as the credentials protecting them.

High-Value Targets
University advancement offices hold data that criminals specifically want: detailed information about wealthy individuals, including how to contact them and what they care about. This isn't like breaching a retailer's customer list—it's a curated target list for sophisticated fraud.

Zero Trust Architecture

The lesson from ShinyHunters is that perimeter security doesn't matter when attackers can convince employees to hand over credentials. Organizations need to adopt Zero Trust principles:

  • Verify explicitly: Every access request should be authenticated and authorized, regardless of network location
  • Use least privilege: Users should have access only to the specific resources they need
  • Assume breach: Design systems expecting that attackers will eventually get in; limit what they can access and exfiltrate

The Broader Pattern: Why Elite Institutions Are Under Attack

The Harvard breach didn't happen in isolation. It was part of a systematic campaign against elite educational institutions:

University Date Attack Type Impact
University of Pennsylvania Oct 2025 Vishing/SSO 1.2M records
Princeton University Nov 10, 2025 Vishing Donor/alumni DB
Harvard University Nov 18, 2025 Vishing 115K records
Columbia University 2025 Unknown 870K records
NYU 2025 Unknown 3M applicant records
University of Phoenix Dec 2025 Oracle EBS exploit 3.5M records

Why Advancement Offices?

Development and advancement offices are ideal targets for several reasons:

Valuable Data
Donor databases contain exactly the information criminals need for targeted fraud: wealth indicators, contact information, relationship histories, and psychological profiles (what do they care about? how do they like to be approached?).

Access Concentration
Advancement offices often have access to data across the institution—alumni records, current student information, faculty data, event attendance. Compromising one office can yield information about multiple populations.

Lower Security Posture
Fundraising staff are trained to be relationship-builders, not security skeptics. They're often less suspicious of unusual requests than IT or security personnel.

Less Regulatory Scrutiny
Healthcare and financial services face intense regulatory oversight; higher education faces relatively little. A hospital breaching 115,000 patient records would face HIPAA investigations and potentially massive fines. Harvard may face no regulatory consequences at all.

The Three-Week Pattern

Princeton, Harvard, and UPenn were all breached within three weeks of each other using nearly identical vishing techniques. This suggests either:

  • Coordinated Campaign: ShinyHunters deliberately targeted Ivy League advancement offices as a campaign
  • Opportunistic Success: One success led to immediate attempts against similar institutions
  • Shared Intelligence: Information from one breach informed attacks on others

Whatever the explanation, universities need to recognize that successful attacks against peer institutions mean they're likely next.

What Affected Individuals Should Do

If you're an alumni, donor, parent, or other individual whose data may have been compromised in the Harvard breach, you should take proactive steps to protect yourself—even if Harvard doesn't send you a notification letter.

Immediate Actions

1. Assume Your Data Is Exposed
If you've donated to Harvard, attended events, or have any relationship with the advancement office, assume your information was in the breach. Don't wait for official notification.

2. Be Vigilant About Targeted Phishing
Criminals now have your email address, phone number, and detailed information about your relationship with Harvard. Expect sophisticated phishing attempts:

  • Emails appearing to be from Harvard about "donation issues"
  • Phone calls from "university representatives"
  • Requests to "update your donor profile"

3. Verify All Communications
If you receive any communication from Harvard—by email, phone, or mail—independently verify it by calling Harvard's main number or logging into official Harvard portals directly (never click links in emails).

4. Monitor for Impersonation
High-net-worth individuals should be alert for:

  • New accounts or applications in their name
  • Unusual contact from "financial advisors" or "estate planners"
  • Requests from people claiming to represent charities or universities

5. Alert Your Family
The breach exposed family relationship data. Warn family members—especially those named in Harvard records—to be suspicious of unsolicited contact referencing your Harvard relationship.

For High-Net-Worth Donors

If your wealth rating and donation history were exposed, you face elevated risk:

Work with Your Security Team
If you have personal security staff, brief them on the breach. Criminals now have your home address and detailed wealth information.

Review Financial Controls
Ensure any wire transfers or large transactions require multiple verification steps. Criminals may attempt social engineering using information from the breach.

Consider Identity Monitoring
Services that monitor for your personal information on dark web forums may provide early warning of exploitation attempts.

Be Skeptical of "Charitable" Appeals
The breach exposed what you care about and how you like to be approached. Expect criminals to craft targeted charitable fraud using this intelligence.

The Road Ahead: Accountability and Reform

The Harvard breach should serve as an inflection point for how America handles data protection in higher education. The current system—where institutions can suffer massive breaches without regulatory consequence or notification requirements—fails to protect the individuals who trust these institutions with their data.

What Harvard Should Do Now

1. Proactive Notification
Even if Massachusetts law doesn't require it, Harvard should notify all affected individuals that their data was exposed and provide specific guidance on protecting themselves from fraud.

2. Credit/Identity Monitoring
For donors whose wealth information was exposed, Harvard should offer identity monitoring services and dedicated fraud support.

3. Regular Communication
Harvard should provide regular updates on what happened, what they're doing to prevent future breaches, and what affected individuals should do. Silence is not a communications strategy.

4. Security Investment
Harvard's $50+ billion endowment can fund world-class cybersecurity. The university should commit publicly to specific security improvements, including phishing-resistant MFA deployment.

What Legislators Should Do

1. Expand Notification Triggers
Update breach notification laws to include wealth indicators, donation histories, and relationship data—not just financial account numbers.

2. Establish Federal Standards
The patchwork of state laws creates confusion and inconsistent protection. Federal baseline standards for breach notification would ensure all Americans receive similar protection.

3. Mandate Educational Institution Security Standards
Just as HIPAA sets security requirements for healthcare, there should be baseline security requirements for educational institutions holding sensitive donor and student data.

What Other Universities Should Do

1. Learn from Harvard's Mistakes
Don't wait to be breached. Implement phishing-resistant MFA, vishing awareness training, and data minimization now.

2. Review Your Donor Database
Audit what data you hold, who can access it, and whether all of it needs to be in systems accessible to staff. The less data exposed to the attack surface, the less damage a breach can cause.

3. Prepare Incident Response
Have a plan for when—not if—you're breached. Who communicates? What do you say? How do you notify affected individuals? Waiting until after a breach to figure this out guarantees a poor response.

Conclusion: Trust Breached, Trust to Rebuild

The ShinyHunters attack on Harvard's donor database represents more than a cybersecurity incident. It represents a fundamental breach of trust between one of America's most prestigious institutions and the individuals who have supported it with their wealth and their personal information.

Harvard built its $50+ billion endowment by cultivating relationships of trust. Donors shared not just their money but their contact information, their family details, their wealth, and their philanthropic priorities. They did so believing Harvard would protect this information.

That trust was violated—not by Harvard's choice, but by Harvard's failure to implement security controls that could have prevented a sophisticated but well-documented attack methodology. The vishing techniques used by ShinyHunters are known. The vulnerabilities in push-based MFA are documented. The risk to advancement offices has been demonstrated repeatedly.

What happens now will determine whether that trust can be rebuilt. If Harvard chooses silence, minimal notification, and business as usual, donors will remember. If the university chooses transparency, proactive protection, and meaningful security investment, there's a path forward.

For the 115,000 individuals whose data is now in criminal hands—including some of America's wealthiest and most influential citizens—the damage is already done. They will spend years watching for targeted fraud, wondering which unsolicited call might be a criminal armed with their wealth rating and family details.

They deserved better. They still deserve better. And so do the donors, alumni, and students at every other university that hasn't yet suffered its own ShinyHunters moment.

Technical Appendix: Indicators of Compromise

Security teams should watch for these indicators associated with ShinyHunters operations:

Phishing Domain Patterns

  • <institution>sso.com
  • my<institution>sso.com
  • <institution>internal.com
  • <institution>support.com
  • <institution>okta.com
  • <institution>access.com

Known Domain Registrars

  • NICENIC (associated with UNC6661)
  • Tucows (associated with UNC6671)

VPN/Proxy Services Used

  • Mullvad
  • Oxylabs
  • NetNut
  • 9Proxy
  • Infatica
  • nsocks

Suspicious User Agent Strings

  • S3 Browser/X.X.X (https://s3browser.com)
  • WinSCP/X.X.X neon/X.X.X
  • WindowsPowerShell/5.1.X (SharePoint exfiltration)

Contact Methods (for extortion)

Last updated: February 7, 2026

This article is part of breached.company's ongoing coverage of significant data security incidents. For previous coverage of the ShinyHunters collective, see our reporting on the Ticketmaster, AT&T, and PowerSchool breaches.

Read more

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

March 4, 2025 — In one of the most sweeping international cybercrime enforcement actions of the year, the Federal Bureau of Investigation, Europol, and law enforcement agencies spanning 14 countries have dismantled LeakBase — a massive open-web forum where cybercriminals bought, sold, and traded stolen data from breaches targeting American corporations, individuals,

By Breached Company