Case Study — Ivy League

ShinyHunters breached
Harvard and UPenn.

Voice phishing compromised Alumni Affairs staff at both universities. 739,000 records leaked, including donor wealth bands. Both universities refused the $1M ransoms. ShinyHunters published the data in February 2026.

The initial compromise was a phone call we cannot intercept. But the follow-up phishing, credential harvesting pages, and lateral movement? That is where suss. stops the chain.

All case studies
What happened
  1. 01
    Voice phishing compromised staff
    ShinyHunters used voice phishing to trick Alumni Affairs staff at Harvard and UPenn into sharing credentials. The attackers impersonated IT support over the phone.
  2. 02
    739K records exfiltrated
    The attackers accessed alumni databases containing names, addresses, donation history, and donor wealth bands. They demanded $1M ransom from each university.
  3. 03
    Both universities refused the ransom
    Harvard and UPenn declined to pay. ShinyHunters leaked the data in February 2026, exposing hundreds of thousands of donors and alumni.
SourceTechCrunch
What it cost
739K
Records leaked
$1M
Ransom demanded, each university
2
Ivy League universities hit simultaneously
What suss. would have surfaced

A signed record, before the wire.

suss. interaction recordFlagged
Credential Harvesting Attack Detected

This is the kind of message your people see, before they act on it. Plain guidance, not a number.

  • Never share credentials over the phone. IT will never ask for your password.
  • Navigate to university systems directly via bookmarks, not links.
  • Report this to IT security immediately.
  • If you shared credentials, reset your password and enable MFA now.
  • Enable multi-factor authentication on all university systems.
signed9c2f…e7a1· queryable record
Why this keeps happening

Why alumni databases are premium targets.

High-value donor data
Alumni databases contain wealth bands, donation history, and personal details. Premium data on the dark web.
Advancement offices are trusting
Alumni Affairs staff are relationship-builders by nature. Social engineering exploits their helpfulness.
Decentralized IT security
Each department manages its own systems. A single compromised account in Alumni Affairs can access databases campus-wide IT may not monitor.
Ransom leverage
Leaking donor wealth data threatens fundraising relationships. Enormous pressure to pay, even when universities publicly refuse.
The divergence
Without suss.
  1. Voice phishing call tricks staff into sharing credentials.
  2. Attacker accesses the alumni database undetected.
  3. Follow-up phishing emails sent from the compromised account.
  4. 739K records exfiltrated over days.
  5. $1M ransom demand. Both universities refuse.
  6. Data leaked publicly. Donor trust shattered.
With suss.
  1. Voice call still happens. Phone interception is a gap we are closing.
  2. Follow-up credential harvesting emails flagged instantly.
  3. Fake login pages blocked by the page analyzer and form guard.
  4. Compromised account phishing detected and reported.
  5. IT security alerted before lateral movement succeeds.
  6. Attack chain broken. Database access prevented.

Want this catching the next one before it ships?

This is a documented incident with a public source. The next one is in someone's inbox right now. suss. is what catches it.

Read more case studies