University of Pennsylvania email system compromised in cybersecurity incident
Learn More
The University of Pennsylvania experienced a cybersecurity incident on Friday, October 31, 2025, when attackers gained access to multiple university email accounts and sent mass fraudulent emails to students, alumni, staff, and community affiliates.
The emails carried the subject line "We got hacked (Action Required)" and threatened to leak student and institutional data.
The malicious emails were sent from multiple official Penn email addresses, including those associated with the Graduate School of Education (gse@connect.upenn.edu) and accounts appearing to belong to senior university staff members. It appears that the emails were sent via "connect.upenn.edu," a Penn mailing list platform hosted on Salesforce Marketing Cloud.
This probably means that the actual email accounts are not compromised. Instead, the university's account on this marketing platform is probably compromised.
The following data types were threatened to be leaked, but actual data exposure has not been confirmed:
- Student records protected under FERPA
- Personal information of students, faculty, and alumni
- Institutional data
The nature of the attack, any exposed data and exact number of affected individuals has not been disclosed.
Penn spokesperson confirmed the incident, stating: "A fraudulent email has been circulated that appears to come from the University of Pennsylvania's Graduate School of Education. This is obviously a fake, and nothing in the highly offensive, hurtful message reflects the mission or actions of Penn or of Penn GSE. The University's Office of Information Security is aware of the situation, and our Incident Response team is actively addressing it."
The university added a banner to its website warning about the emails and instructing recipients to disregard or delete the messages.
Update - as of 2nd of November 2025, Bleeping Computer reports that breach originated from a compromised employee PennKey Single Sign-On (SSO) account, which provided the attackers with broad access across multiple university systems. The compromised credentials granted them "full access" to Penn's Virtual Private Network (VPN), Salesforce Marketing Cloud platform, Qlik analytics system, SAP business intelligence infrastructure, and SharePoint file repositories.
The hacker has published a 1.7-GB archive containing spreadsheets, donation materials, and other files allegedly taken from Penn's SharePoint and Box systems and claims to have stolen data for roughly 1.2 million students, alumni, and donors. Allegedly the stolen data exposed:
- Full names
- Dates of birth
- Physical addresses
- Phone numbers
- Estimated net worth
- Complete donation history to the university
- Religious affiliation
- Racial and ethnic background
- Sexual orientation
As of 5th of November 2025, University of Pennsylvania confirmed that the attack exposed data of students and alumni and was caused by a social engineering attack. An unnamed employee revealed that while the university requires multi-factor authentication (MFA), some high-ranking officials were granted exemptions from this security requirement. The university declined to specify the number of affected individuals or details of accessed information.
As of 17th of November 2025, the school says that “The 1.2 million number has been mischaracterized and overstates the impact”.
