Executive Summary

On October 30, 2025, a threat actor gained unauthorized access to the University of Pennsylvania’s (Penn) internal systems by compromising an employee’s PennKey Single Sign-On (SSO) account. This breach enabled the attacker to access multiple critical platforms, including Salesforce Marketing Cloud, Qlik, SAP, and SharePoint, resulting in the exfiltration of sensitive data belonging to approximately 1.2 million donors, alumni, and students. The compromised data includes names, dates of birth, addresses, phone numbers, estimated net worth, donation history, and demographic information such as religion, race, and sexual orientation. Following the revocation of the compromised account, the attacker leveraged persistent access to Salesforce Marketing Cloud to send offensive mass emails to roughly 700,000 recipients, using official Penn email addresses. The university has confirmed the breach and is conducting an ongoing investigation. There is no evidence of extortion demands, and the attacker claims the primary motivation was to obtain the donor database. The incident highlights significant risks related to SSO credential compromise, the abuse of cloud-based communication platforms, and the exposure of highly sensitive personal and financial data. All information in this summary is directly supported by the cited primary sources.

Technical Information

The breach at Penn was initiated through the compromise of an employee’s PennKey SSO account, which is the university’s centralized authentication system for accessing internal and cloud-based resources. The attacker’s method for obtaining the credentials remains unconfirmed; the threat actor declined to specify whether phishing, an infostealer, or another technique was used, only stating that the intrusion was “simple” and attributed to “security lapses” at the university (BleepingComputer).

Once inside, the attacker used the compromised SSO credentials to access the university’s VPN and a range of internal and cloud-based platforms, including Salesforce Marketing Cloud (used for mass communications), Qlik (analytics), SAP (business intelligence), and SharePoint (file storage). The attacker claims to have exfiltrated data for approximately 1.2 million individuals, including donors, alumni, and students. The data set reportedly includes personally identifiable information (PII) such as names, dates of birth, addresses, phone numbers, estimated net worth, donation history, and sensitive demographic details (religion, race, sexual orientation). Screenshots and data samples provided to BleepingComputer, as well as a 1.7-GB archive posted online, substantiate the claim of access and exfiltration (BleepingComputer).

The attacker’s access to the compromised SSO account was revoked on October 31, 2025. However, persistent access to Salesforce Marketing Cloud allowed the attacker to send mass emails from legitimate Penn addresses to approximately 700,000 recipients, including alumni, students, staff, and affiliates. These emails contained offensive and inflammatory language, criticized the university’s security practices, and threatened to leak additional data. The emails were sent from a variety of Penn-affiliated accounts, including those purporting to be from the Graduate School of Education and senior staff members (TechCrunch, Economic Times).

The attacker stated that the primary motivation was to obtain the university’s donor database, not to extort the institution or pursue a political agenda. The threat actor indicated that the donor database may be released publicly in the future, but as of the latest reporting, it has not been leaked. The university has acknowledged the breach, confirmed the circulation of fraudulent emails, and stated that its incident response team is actively investigating the matter (BleepingComputer, TechCrunch, Economic Times).

No specific malware, infostealer, or exploit has been identified in connection with this breach. The technical evidence available consists of screenshots, data samples, and mass email headers, which confirm unauthorized access and data exfiltration but do not reveal the initial compromise vector beyond credential misuse.

The attack techniques observed in this incident align with the following MITRE ATT&CK tactics and techniques:

• T1078: Valid Accounts – Use of compromised SSO credentials for initial access and lateral movement (high confidence, based on attacker statements and evidence).

• T1021: Remote Services – Use of VPN and SSO to access internal and cloud systems (high confidence).

• T1530: Data from Cloud Storage Object – Exfiltration of files from SharePoint and Box (high confidence).

• T1585: Establish Accounts and T1586: Compromise Accounts – Abuse of Salesforce Marketing Cloud to send mass emails from legitimate accounts (high confidence).

• T1566: Phishing – Possible initial access vector, but unconfirmed (low confidence).

The breach demonstrates a sector-specific risk for higher education institutions, which often rely on SSO for user convenience but may lack robust access controls and monitoring. The exposure of sensitive donor and student data also raises significant compliance concerns under FERPA (Family Educational Rights and Privacy Act) and other privacy regulations.

Affected Versions & Timeline

The breach affected the following systems and platforms at the University of Pennsylvania: PennKey SSO, VPN, Salesforce Marketing Cloud, Qlik, SAP, SharePoint, and Box. The specific versions of these platforms have not been disclosed in the available sources.

The verified timeline of events is as follows:

On October 30, 2025, the attacker gained initial access to Penn’s systems via a compromised employee PennKey SSO account (BleepingComputer). On October 31, 2025, the attacker completed data exfiltration and the compromised account was locked, terminating direct access. On the same day, the attacker used persistent access to Salesforce Marketing Cloud to send mass emails to approximately 700,000 recipients (BleepingComputer, TechCrunch). Between November 1 and November 2, 2025, the university publicly confirmed the breach and announced an ongoing investigation (Economic Times).

Threat Activity

The threat actor’s activity began with the compromise of a PennKey SSO account, which provided broad access to internal and cloud-based systems. The attacker’s lateral movement included accessing the university’s VPN, Salesforce, Qlik, SAP, and SharePoint platforms. The attacker exfiltrated a large volume of sensitive data, including PII and financial information for approximately 1.2 million individuals. The attacker provided screenshots and data samples to media outlets to substantiate their claims and posted a 1.7-GB archive of files allegedly taken from SharePoint and Box.

After the compromised account was locked, the attacker retained access to Salesforce Marketing Cloud and used it to send offensive and inflammatory emails to a wide range of university affiliates. These emails were sent from legitimate Penn email addresses, including those associated with the Graduate School of Education and senior staff, and were designed to cause reputational harm and disrupt university operations. The emails contained language criticizing the university’s security practices, admissions policies, and compliance with federal regulations such as FERPA.

The attacker stated that the primary motivation was to obtain the donor database, not to extort the university or pursue a political agenda. The threat actor indicated that the donor database may be released publicly in the future, but as of the latest reporting, it has not been leaked. The university has acknowledged the breach, confirmed the circulation of fraudulent emails, and stated that its incident response team is actively investigating the matter (BleepingComputer, TechCrunch, Economic Times).

No evidence has been presented to suggest that the attacker deployed ransomware, demanded a ransom, or used malware to maintain persistence. The attack relied on credential compromise and the abuse of legitimate cloud-based communication tools.

Mitigation & Workarounds

The following mitigation actions are prioritized by severity:

Critical: Immediate revocation and reset of all compromised and potentially exposed PennKey SSO credentials is essential. Multi-factor authentication (MFA) should be enforced for all SSO accounts, especially those with access to sensitive systems such as Salesforce, Qlik, SAP, and SharePoint. Continuous monitoring for unusual login activity and access patterns across all cloud and internal platforms is required.

High: Conduct a comprehensive audit of all privileged accounts and access logs for signs of lateral movement or additional compromise. Review and restrict access permissions for cloud-based communication platforms such as Salesforce Marketing Cloud to prevent unauthorized mass messaging. Implement strict controls on the use of third-party SaaS integrations and regularly review their security configurations.

Medium: Provide targeted security awareness training to all staff and affiliates, emphasizing the risks of phishing, credential theft, and social engineering. Communicate with all affected donors, alumni, and students regarding the breach, the types of data exposed, and recommended steps to protect themselves from targeted phishing and fraud.

Low: Review and update incident response and communication plans to ensure rapid detection, containment, and notification in the event of future breaches. Evaluate the security posture of all third-party vendors and cloud service providers used by the institution.

All mitigation recommendations are based on the technical details and sector-specific risks identified in the cited sources.

References

https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-hacker-claims-1.2-million-donor-data-breach/

https://techcrunch.com/2025/10/31/hackers-threaten-to-leak-data-after-breaching-university-of-pennsylvania-to-send-mass-emails/

https://m.economictimes.com/news/international/us/we-got-hacked-penn-community-shaken-after-fraudulent-emails-circulate-from-school-accounts/articleshow/125003398.cms

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their vendors and partners. Our platform supports the identification of credential exposure, cloud service misconfigurations, and access control weaknesses, which are critical in preventing and responding to incidents involving SSO compromise and cloud platform abuse. For questions or further information, please contact us at ops@rescana.com.