top of page

Subscribe to our newsletter

University of Pennsylvania ‘We Got Hacked’ Email Incident: Abuse of connect.upenn.edu on Salesforce Marketing Cloud

  • Rescana
  • Nov 2
  • 6 min read
Image for post about ‘We got hacked’ emails threaten to leak University of Pennsylvania data

Executive Summary

On October 31, 2025, the University of Pennsylvania experienced a coordinated campaign in which offensive emails with the subject "We got hacked (Action Required)" were sent to students, alumni, and faculty from various university email addresses, including those associated with the Graduate School of Education. The emails claimed that university data had been stolen and threatened to leak sensitive information, while also containing highly offensive language targeting the university’s policies and reputation. The University of Pennsylvania’s Office of Information Security and Incident Response team immediately began investigating the incident. Official statements from the university and independent media confirm that there is no evidence of an actual data breach or exfiltration. The emails were sent via the university’s mailing list platform, “connect.upenn.edu,” which is hosted on Salesforce Marketing Cloud. The university has not confirmed any compromise of its core systems and has stated that the emails are fraudulent. The incident underscores the risk of abuse of mass communication platforms in higher education and the potential for reputational harm even in the absence of data loss. All claims in this summary are corroborated by the University of Pennsylvania Division of Public Safety, BleepingComputer, and CBS News Philadelphia (https://www.publicsafety.upenn.edu/notices/notice/, https://www.bleepingcomputer.com/news/security/offensive-we-got-hacked-emails-sent-in-penn-security-incident/, https://www.cbsnews.com/philadelphia/news/penn-email-hacked-vulgar-philadelphia/).

Technical Information

The incident involved the abuse of the University of Pennsylvania’s mailing list platform, “connect.upenn.edu,” which is hosted on Salesforce Marketing Cloud. Offensive and fraudulent emails were distributed from legitimate-looking university email addresses, including those of the Penn Graduate School of Education and other employees. The emails claimed that the university had been hacked and that sensitive data would be leaked, but there is no evidence to support these claims. The university’s Office of Information Security and Incident Response team is actively investigating the source and method of the attack.

The attack vector appears to be the exploitation or abuse of the university’s mass mailing infrastructure rather than a compromise of core IT systems. BleepingComputer confirmed that all emails were sent via “connect.upenn.edu,” and headers indicated use of the Salesforce Marketing Cloud platform. It remains unclear whether the attacker gained unauthorized access to the platform through compromised credentials, misconfigured permissions, or another method. The university has not confirmed any technical breach of its core systems.

No malware was identified or delivered as part of this campaign. The attack was limited to the distribution of offensive, fraudulent emails. There is no evidence of ransomware, commodity crimeware, or custom malware being used. The primary tool abused in this incident was the Salesforce Marketing Cloud platform, a legitimate Software-as-a-Service (SaaS) product commonly used for mass communications in higher education.

The attack methods map to several techniques in the MITRE ATT&CK framework. The use of mass email to deliver fraudulent messages aligns with T1566.001 (Phishing: Spearphishing Attachment/Link). The abuse of a web-based email platform for mass communication aligns with T1585.002 (Compromise of Web-based Email Accounts). There is a plausible, but unconfirmed, use of T1078 (Valid Accounts) if the attacker leveraged compromised credentials or abused legitimate access to the mailing list platform. Confidence is high for T1566.001 and T1585.002, and medium for T1078 due to the lack of direct evidence of credential compromise.

Historically, the education sector has been a frequent target for phishing, business email compromise, and reputational attacks due to large user bases, decentralized IT environments, and reliance on third-party communication platforms. Similar incidents have involved the abuse of platforms like Mailchimp, Constant Contact, and university-specific mailing systems to send fraudulent or malicious emails. No specific threat actor or group has been attributed to this incident as of the reporting date. The language and content of the emails suggest possible ideological or reputational motives, but this remains circumstantial and unsupported by technical evidence.

The incident highlights the risk of reputational damage and operational disruption even in the absence of data theft. The use of Salesforce Marketing Cloud is common in higher education, making it a potential target for abuse if access controls are weak. The university’s response included the addition of a banner to its website warning about the emails and advising recipients to disregard or delete the messages. There are no public regulatory filings or law enforcement advisories related to this incident as of the verified dates.

All technical claims and timeline details are corroborated by at least three independent, primary sources: the University of Pennsylvania Division of Public Safety, BleepingComputer, and CBS News Philadelphia (https://www.publicsafety.upenn.edu/notices/notice/, https://www.bleepingcomputer.com/news/security/offensive-we-got-hacked-emails-sent-in-penn-security-incident/, https://www.cbsnews.com/philadelphia/news/penn-email-hacked-vulgar-philadelphia/).

Affected Versions & Timeline

The affected platform is the University of Pennsylvania’s “connect.upenn.edu” mailing list, which is hosted on Salesforce Marketing Cloud. There is no evidence that other university systems or platforms were affected.

The incident timeline is as follows: On October 31, 2025, offensive emails with the subject "We got hacked (Action Required)" were sent to students, alumni, and faculty from various university email addresses, including the Graduate School of Education. On the same day, the University of Pennsylvania Division of Public Safety issued an official notice acknowledging the incident and confirming that the Office of Information Security and Incident Response team was actively addressing it. On November 1, 2025, CBS News Philadelphia reported that the university stated it was not hacked but was investigating the source of the fraudulent email.

There is no confirmed evidence that any University of Pennsylvania data was actually compromised or exfiltrated. The emails claimed data theft and threatened leaks, but the university and all sources state these are fraudulent claims. The university’s public safety and information security offices are leading the response, and there are no public regulatory filings or law enforcement advisories related to this incident as of the verified dates.

Threat Activity

The threat activity consisted of a coordinated campaign to send offensive, fraudulent emails from legitimate-looking university email addresses via the “connect.upenn.edu” mailing list platform, which is hosted on Salesforce Marketing Cloud. The emails claimed that the university had been hacked and that sensitive data would be leaked, but there is no evidence to support these claims. The emails contained highly offensive language targeting the university’s policies and reputation.

The attack methods map to several techniques in the MITRE ATT&CK framework. The use of mass email to deliver fraudulent messages aligns with T1566.001 (Phishing: Spearphishing Attachment/Link). The abuse of a web-based email platform for mass communication aligns with T1585.002 (Compromise of Web-based Email Accounts). There is a plausible, but unconfirmed, use of T1078 (Valid Accounts) if the attacker leveraged compromised credentials or abused legitimate access to the mailing list platform.

No malware was identified or delivered as part of this campaign. The attack was limited to the distribution of offensive, fraudulent emails. There is no evidence of ransomware, commodity crimeware, or custom malware being used. The primary tool abused in this incident was the Salesforce Marketing Cloud platform.

No specific threat actor or group has been attributed to this incident as of the reporting date. The language and content of the emails suggest possible ideological or reputational motives, but this remains circumstantial and unsupported by technical evidence. There is no evidence of data exfiltration or malware deployment.

The incident highlights the risk of reputational damage and operational disruption even in the absence of data theft. The use of Salesforce Marketing Cloud is common in higher education, making it a potential target for abuse if access controls are weak.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Immediately review and restrict access controls for all mass mailing platforms, including Salesforce Marketing Cloud, to ensure that only authorized personnel can send messages to large distribution lists. Implement multi-factor authentication (MFA) for all accounts with access to mass communication tools.

High: Conduct a comprehensive audit of all recent activity on the “connect.upenn.edu” platform and other mass mailing systems to identify unauthorized access or configuration changes. Review and update incident response playbooks to include scenarios involving abuse of mass communication platforms.

Medium: Provide targeted security awareness training to all staff and faculty with access to mass mailing tools, emphasizing the risks of credential compromise and the importance of reporting suspicious activity. Regularly review and update permissions for all third-party SaaS platforms used for mass communications.

Low: Communicate clearly with the university community about the incident, advising recipients to disregard or delete fraudulent emails and to report any new or suspicious messages to IT support. Monitor for further attempts to abuse mass mailing platforms and adjust security controls as needed.

There is no evidence of malware or data exfiltration, so endpoint remediation and data loss prevention measures are not immediately required. However, ongoing monitoring and review of access logs are recommended to detect any future attempts at abuse.

References

University of Pennsylvania Division of Public Safety Notice: https://www.publicsafety.upenn.edu/notices/notice/

BleepingComputer Technical Analysis: https://www.bleepingcomputer.com/news/security/offensive-we-got-hacked-emails-sent-in-penn-security-incident/

CBS News Philadelphia Coverage: https://www.cbsnews.com/philadelphia/news/penn-email-hacked-vulgar-philadelphia/

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and service providers. Our platform enables continuous monitoring of third-party SaaS platforms, supports rapid incident response, and offers actionable insights into the security posture of communication and collaboration tools. For questions about this report or to discuss how Rescana can support your organization’s risk management needs, please contact us at ops@rescana.com.

bottom of page