University of Pennsylvania Breach - 1.2M Donor Records Exposed

A single compromised PennKey SSO account gave attackers full run of UPenn's infrastructure—VPN access, Salesforce Marketing Cloud, Qlik analytics, SAP BI, and SharePoint. What's brutal: threat actors exfiltrated data on 1.2 million donors, alumni, and students between October 30-31, 2025, including names, birthdates, addresses, estimated net worth, donation history, and sensitive demographics like religion, race, and sexual orientation. After Penn locked the compromised employee account, the attackers still had access to Salesforce Marketing Cloud and used it to blast offensive mass emails to roughly 700,000 recipients from legitimate connect.upenn.edu addresses. BleepingComputer verified the mailing source was Penn's actual Salesforce environment. The attackers told BleepingComputer their main target was the 'wonderfully wealthy donor database' and claimed they weren't extorting the university because 'we can extract plenty of value out of the data ourselves.' What's notable: this demonstrates how SSO compromise cascades across integrated platforms—one credential unlocked CRM, analytics, BI, file storage, and email infrastructure. The threat actors published a 1.7GB archive of SharePoint and Box files but haven't released the full donor database yet, saying they may leak it in one to two months.