Skip to content
Case Study

ShinyHunters breached
Harvard and UPenn.

Voice phishing compromised Alumni Affairs staff, leaking data on 739K people including donor wealth bands. suss. catches the credential harvesting that enables attacks like this.

The initial compromise was a phone call we can't intercept. But the follow-up phishing, credential pages, and lateral movement? That's where suss. stops the chain.

What happened

Voice phishing compromised staff
ShinyHunters used voice phishing to trick Alumni Affairs staff at Harvard and UPenn into sharing credentials. The attackers impersonated IT support over the phone.
739K records exfiltrated
The attackers accessed alumni databases containing names, addresses, donation history, and donor wealth bands. They demanded $1M ransom from each university.
Both universities refused ransom
Harvard and UPenn declined to pay. ShinyHunters leaked the data in February 2026, exposing hundreds of thousands of donors and alumni.

Source: TechCrunch

Honest about our gap

The initial compromise was a voice phone call — a channel suss. cannot currently intercept. However, attacks like this don't end with one phone call. They involve follow-up phishing emails, fake login pages for credential harvesting, and lateral movement through compromised accounts. Those are the phases suss. catches.

How suss. would have caught the follow-up

We simulated the credential harvesting emails and fake login pages that typically follow voice phishing. Here's what fired.

60%
High Risk
Credential Harvesting Attack Detected

4 threat indicators fired

85%
Urgent account verification request
account_verification_urgent
80%
Social Security number requested
ssn_request
75%
Fake tech support callback number
tech_support_callback_scam
70%
Credential harvesting via fake login page
credential_harvesting

Recommended actions

  1. 1NEVER share credentials over the phone — IT will never ask for your password
  2. 2Navigate to university systems directly via bookmarks, not links
  3. 3Report this to IT security immediately
  4. 4If you shared credentials, reset your password and enable MFA now
  5. 5Enable multi-factor authentication on all university systems

The cost of no protection

739K
Records leaked
$1M
Ransom demanded (each)
2
Ivy League universities hit simultaneously

Why universities are prime targets

High-value donor data
Alumni databases contain wealth bands, donation history, and personal details — premium data on the dark web.
Advancement offices are trusting
Alumni Affairs staff are relationship-builders by nature. Social engineering exploits their helpfulness.
Decentralized IT security
Each department manages its own systems. A single compromised account in Alumni Affairs can access databases campus-wide IT may not monitor.
Ransom leverage
Leaking donor wealth data threatens fundraising relationships — creating enormous pressure to pay ransoms, even if universities publicly refuse.

Breaking the attack chain

Credential Harvesting

Detects fake login pages, suspicious verification requests, and SSN/credential requests via email or chat.

Social Engineering

Identifies impersonation of IT support, urgency-based credential requests, and callback number scams.

Account Takeover

Flags phishing from compromised internal accounts, suspicious forwarding rules, and lateral movement indicators.

Data Exfiltration Indicators

Detects unusual data access patterns, bulk export requests, and suspicious system access from new locations.

With suss. vs. without

Without suss.

  • Voice phishing call tricks staff into sharing credentials
  • Attacker accesses alumni database undetected
  • Follow-up phishing emails sent from compromised account
  • 739K records exfiltrated over days
  • $1M ransom demand — both universities refuse
  • Data leaked publicly, donor trust shattered

With suss.

  • Voice call still happens (gap: no phone interception yet)
  • Follow-up credential harvesting emails flagged instantly
  • Fake login pages blocked by page analyzer + form guard
  • Compromised account phishing detected and reported
  • IT security alerted before lateral movement succeeds
  • Attack chain broken — database access prevented

How the pilot works

1
Deploy to high-risk departments first
Start with Alumni Affairs, Development, and Advancement offices — the departments attackers target for donor data access.
2
Ambient scanning activates immediately
The extension scans every email and page in the background. No training needed — staff continue working normally while suss. watches for threats.
3
Credential harvesting blocked in real-time
Fake login pages are detected and blocked. Phishing emails get warning badges. Credential submission on unregistered domains is intercepted.
4
IT security gets full visibility
A campus dashboard shows which departments are being targeted, what attack types are trending, and which threats were blocked.

Start a free 30-day pilot

Protect your advancement and alumni offices from credential harvesting. Deploy in minutes, no IT integration required.

Request pilot accessView enterprise plans

If ShinyHunters targeted Harvard and UPenn, no institution is immune.

Free for qualified universities and government institutions

524
Scam signals
26
Identity theft
94.5%
Precision
93.2%
Recall
FERPA CompliantNo student PII stored
SOC 2 Type IIIn progress
US-HostedGoogle Cloud, us-central1
AARP AgeTechCollaborative member
Chrome Web StoreVerified publisher

made by humans who've been scammed.

© 2026 suss. AI, Inc.