Following last week’s email hack at the University of Pennsylvania, new details are emerging, lawsuits are being filed — and people affected are being encouraged to take steps to safeguard their identities.
Since Friday, all of Penn’s systems have been restored, but the threat still lingers as hackers claim to have accessed data from over a million members of the university community. So far, Penn has revealed how the hackers got in, but the full extent of the breach remains uncertain.
As the alleged hackers threaten to take things further, experts are say anyone impacted should shore up their online security.
“Take extra security measures and more time to think before you respond to any messages.”
Aunshul Rege, director of the CARE Lab at Temple University
“At this stage, treat it as a serious exposure risk and take the low-effort, high-benefit precautions … especially a credit freeze and MFA [multi-factor authentication] everywhere you can,” Aunshul Rege, criminal justice professor and director of the CARE Lab at Temple University, told Technical.ly.
An email hack typically entails stealing passwords, reusing passwords or accessing one-time access codes to get into the system. Once malicious actors are in, they can move to connected systems and gain access to sensitive information, download data and send out mass emails, leveraging that information to commit other cybercrimes.
“Stay extra alert,” Rege advised. “Take extra security measures and more time to think before you respond to any messages.”
The alleged hackers told Bleeping Computer they used a university employee’s PennKey account to access data about 1.2 million students, alumni and donors. A PennKey account is the university’s “single sign-on identity system,” meaning hackers could access many systems using one login, per Rege.
According to the university, the information that was accessed included Penn’s customer relationship management system (Salesforce), file repositories, a reporting application and Marketing Cloud. The hackers gained the credentials to Penn’s development and alumni activities systems using “social engineering,” according to Penn, aka by tricking people into sharing sensitive information.
FAQ: Penn’s 2025 email breach
What happened?
On Oct. 31, 2025, hackers used a Penn Graduate School of Education email system to send mass emails to students, alumni, staff, faculty and maybe others. It accused the school of having poor security and called it a “dogshit elitist institution.” The message also threatened to leak “all your data.”
How did the attackers get in?
Penn says this was a “social engineering” incident, meaning someone was tricked into giving up credentials for the PennKey single sign-on system, not a vulnerability exploit.
What systems were accessed?
The university’s Salesforce CRM, SharePoint and Box file repositories, a QlikView reporting app, and Marketing Cloud, according to Penn. The university says it’s still analyzing the “nature of the information” stolen and will notify affected individuals as required by law.
How many people are affected?
An alleged hacker made claims they accessed data tied to ~1.2 million students, alumni and donors; Penn says the investigation is ongoing and it cannot verify that figure.
What do the alleged hackers say their motive is?
A person claiming involvement told The Verge the goal was to obtain and sell wealthy donor data, not to make a statement about Penn’s admission or hiring practices or DEI efforts.
What is Penn doing in response?
Penn says systems were restored, the FBI was notified and CrowdStrike was engaged to assist. It has not shared any information about how it plans to modify its security going forward.
Are there lawsuits?
Yes. At least four alumni filed class-action suits alleging inadequate security and negligence following the breach.
What should I do if I got the email or think my data’s at risk?
Experts recommend immediate hygiene: enable multi-factor authentication, use strong/unique passwords, freeze your credit, set account alerts and be wary of phishing. Specific steps include:
• Place a credit freeze, restricting access to your credit report
• Monitor your account: set up alerts for logins and transactions to catch any suspicious activity
• Review data exports from the platforms that were impacted to determine what information may have been taken
How do experts say schools respond to a breach like this?
• Force password resets and re-authorize all sessions in the affected systems
• Audit and reassess permissions for who can send or schedule mass emails
• Add a “two-person approval” system for mass emails and downloads
“Given that they have a valid login, they are essentially ‘legitimate’ – because their communication comes from real infrastructure and the ‘real’ person,” Rege said. “They can bypass spam filters and even be trusted by recipients.”
Penn is currently in the process of determining what information was taken and will only notify people who have been impacted after that process is complete, according to a statement.
The university has not verified the hackers’ claims. It declined to provide details about what data was accessed or how it’s now securing its systems, instead directing Technical.ly to its FAQ about the incident.
There were multiple cybersecurity hacks at universities earlier this year, including Columbia University and New York University. The hacker who took credit for these incidents appeared to be politically motivated, attacking universities in response to the Supreme Court’s decision to end affirmative action.
For the University of Pennsylvania, though, the alleged hackers may be motivated by financial gains.
Alleged hackers speak out as victims take legal action
Since the mass email was sent, the alleged hackers came forward to clarify that they were targeting donor data.
People claiming to be the hackers released internal university documents on LeakForum the next day, according to the Daily Pennsylvanian. These documents included memos about donors, bank transactions and internal talking points. They claimed they would sell the data before making it public and that they were targeting donor information with the goal of making money, reported The Verge.
The hackers told The Verge that they were seeking information about ultra-high-net-worth individuals and selected Penn because of its “fairly weak authentication system.”
The school is “confident” that the threat has been contained and is increasing monitoring and security measures.
“Penn’s staff rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker,” Joshua Beeman, Penn’s interim VP of information technology and interim CIO, said in an email. “Penn is still investigating the nature of the information that was obtained during this time.”
Cybersecurity expert Rege recommended the university force password resets, reassess who has access to send mass emails and put measures in place to make sure those emails are approved by multiple people. Plus, the institution should review data exports from the impacted systems to understand what information may have been stolen.
Members of the university community are now suing the institution for failing to protect personal data. Alumnus Christopher Kelly first filed a lawsuit in the United States District Court for the Eastern District of Pennsylvania on Monday.
Three other alumni filed lawsuits the next day, claiming that Penn failed to “maintain an adequate data security system to reduce the risk of data breaches and cyber-attacks,” according to the Daily Pennsylvanian.
To protect yourself, experts recommend securing your passwords, adding multi-factor authentication, freezing your credit and tracking account activity. Plus, resources from the Federal Trade Commission provide steps for what to do if you’re involved in a data breach, Rege said.
“We encourage our entire community — inside and outside of Penn — to be wary of suspicious calls or emails that could be phishing attempts,” read the email from interim CIO Beeman. “Particularly those that may be soliciting fraudulent donations, asking for your system credentials, or suggesting you change credentials or passwords.”
