A hacker has claimed responsibility for last week’s University of Pennsylvania email incident, saying the breach was much larger than initially reported and involved the exposure of data from about 1.2 million donors, alumni, and students, Bleepingcomputer reports.
On Friday, many Penn alumni and students received several offensive emails from official Penn.edu addresses. The messages claimed the university had been hacked and included insulting language directed at the institution. The emails were confirmed to have come from connect.upenn.edu, a mailing system hosted on Salesforce Marketing Cloud. The university initially described the messages as fake and dismissed them as fraudulent emails.
However, the person behind the attack later contacted BleepingComputer and said they had gained deep access to multiple Penn systems. According to the hacker, their group managed to access an employee’s PennKey single sign-on account, which allowed them into several platforms, including the university’s VPN, Salesforce data, SAP business system, SharePoint files, and Qlik analytics tools.
The hacker claimed to have stolen personal data belonging to around 1.2 million people connected to the university. This included names, addresses, phone numbers, dates of birth, estimated net worth, donation history, and sensitive demographic information such as religion, race, and sexual orientation. To prove their claim, they shared screenshots and data samples online.
The hacker said they entered Penn’s systems on October 30 and completed their data downloads by October 31, when the compromised account was locked. After losing access, they still managed to use Salesforce Marketing Cloud to send the offensive mass emails to about 700,000 recipients.
When asked how they obtained the login credentials, the hacker refused to give details but blamed the incident on Penn’s weak security. They have since released a 1.7-gigabyte file that allegedly contains spreadsheets, donation records, and internal documents stolen from Penn’s servers.
The attacker said they are not trying to extort the university for money and that their main goal was to access Penn’s donor database. They described their motive as non-political but expressed disdain for what they called “elitist institutions.” The hackers also hinted that they might release the full donor database in the coming months.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
When approached for comment about these claims, the University of Pennsylvania said it is still investigating the matter.
