CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Princeton University Database Compromised in Phishing Attack

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

On November 10, 2025, Princeton University suffered a data breach after a phishing attack targeted an employee. The breach exposed personal information of alumni, donors, faculty, and students, including names, email addresses, phone numbers, and home and business addresses. The compromised database did not contain financial information, credentials, or records protected by privacy regulations. The university has since blocked the attackers' access and advised affected individuals to be cautious of phishing attempts. On November 18, 2025, Harvard University experienced a similar data breach due to a voice phishing attack. The breach exposed personal information of students, alumni, donors, staff, and faculty members. The compromised systems did not contain Social Security numbers, passwords, payment card information, or financial information. Harvard is working with law enforcement and third-party cybersecurity experts to investigate the incident and has sent data breach notifications to affected individuals. The breach was discovered on November 18, 2025, and involved unauthorized access to systems used by Harvard's Alumni Affairs and Development department. Harvard University is also one of the many victims of the recent Oracle E-Business Suite hacking campaign.

Timeline

  2. 24.11.2025 16:06 2 articles · 1d ago

    Harvard University Voice Phishing Attack Exposes Personal Data

    On November 18, 2025, Harvard University experienced a data breach due to a voice phishing attack. The breach was discovered on November 18, 2025, and involved unauthorized access to systems used by its Alumni Affairs and Development department. The breach exposed email addresses, telephone numbers, home and business addresses, event attendance records, donation details, and biographical information. The compromised systems did not contain Social Security numbers, passwords, payment card information, or financial information. Harvard is working with law enforcement and third-party cybersecurity experts to investigate the incident and has sent data breach notifications to affected individuals. The university has no evidence of further unauthorized access.

    Show sources
    Open in new tab
  3. 17.11.2025 21:36 2 articles · 8d ago

    Princeton University Database Compromised in Phishing Attack

    On November 10, 2025, Princeton University experienced a data breach due to a phishing attack targeting an employee. The breach exposed personal information of alumni, donors, faculty, and students. The university has since blocked the attackers' access and advised affected individuals to be cautious of phishing attempts.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SitusAMC Data Breach Exposes Client and Customer Information

SitusAMC, a real-estate finance services provider for major banks, disclosed a data breach on November 12, 2025, that compromised client and customer data. The breach impacted accounting records, legal agreements, and potentially customer data. The company is still investigating the extent of the breach and has not identified the attackers or the exact methods used. SitusAMC confirmed that no ransomware was deployed and business operations remain unaffected. The company is contacting affected clients and customers individually.

Open in new tab

LinkedIn Phishing Campaigns Targeting Enterprises

LinkedIn has become a prominent platform for phishing attacks, with 34% of phishing attacks occurring over non-email channels. Attackers are conducting sophisticated spear-phishing campaigns targeting executives in financial services and technology sectors. These attacks bypass traditional security tools, are cost-effective and scalable for attackers, provide easy access to high-value targets, and have significant potential rewards. The nature of LinkedIn makes it easier for users to fall for these attacks, as they expect to interact with external contacts. The impact of these attacks can be severe, potentially leading to multi-million dollar breaches. Organizations need to adopt comprehensive security measures to detect and block phishing across all apps and delivery vectors. 60% of credentials in infostealer logs are linked to social media accounts, many of which lack MFA. Attackers are hijacking legitimate LinkedIn accounts to launch phishing campaigns, exploiting the lack of MFA on these accounts. LinkedIn phishing attacks target core enterprise cloud platforms such as Microsoft and Google, or specialist Identity Providers like Okta. A single account compromise can snowball into a multi-million dollar, business-wide breach.

Open in new tab

University of Pennsylvania suffers email compromise and harassment campaign

The University of Pennsylvania (Penn) experienced a cybersecurity incident where offensive emails were sent from compromised Penn email addresses. The emails claimed that data was stolen in a breach and criticized the university's security practices and admission policies. The incident involved various Penn email addresses, including those from the Graduate School of Education and other university employees. The emails were sent via 'connect.upenn.edu,' a Penn mailing list platform hosted on Salesforce Marketing Cloud. Penn's Incident Response team is addressing the breach, and the university has warned recipients to disregard the emails. The emails were sent on Friday, October 31, 2025.

Open in new tab

Storm-2657 Targets University HR Employees in Payroll Hijacking Campaign

A cybercrime gang, Storm-2657, has been targeting university employees in the United States since March 2025 to hijack salary payments. The attackers have successfully compromised 11 accounts at three universities, sending phishing emails to nearly 6,000 email accounts across 25 universities. The campaign, codenamed Payroll Pirates, exploits a lack of multifactor authentication (MFA) or phishing-resistant MFA to compromise Workday accounts and other third-party HR SaaS platforms. The attackers use sophisticated social engineering tactics and adversary-in-the-middle (AITM) links to steal MFA codes, enabling them to gain access to Exchange Online accounts. Once inside, they alter salary payment configurations and redirect payments to accounts under their control. The attackers also create inbox rules to delete incoming warning notification emails from Workday and enroll their own phone numbers as MFA devices for victim accounts. The compromised email accounts are used to distribute further phishing emails, both within the organization and to other universities. The attacks have been ongoing since March 2025, with Microsoft identifying affected customers and providing mitigation guidance. The campaign has been observed targeting a range of U.S.-based organizations, particularly in the higher education sector, and any software-as-a-service (SaaS) platform storing HR or payment and bank account information.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. GlobalLogic, a digital engineering services provider, has notified over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach. The attackers exploited an Oracle EBS zero-day vulnerability (CVE-2025-61882) to steal personal information belonging to 10,471 employees. GlobalLogic's investigation identified access and exfiltration on October 9, 2025, with the earliest date of threat actor activity as July 10, 2025, and the most recent activity occurring on August 20, 2025. The stolen data includes names, addresses, phone numbers, emergency contact details, email addresses, dates of birth, nationalities, countries of birth, passport information, national identifiers or tax identifiers (e.g., Social Security Numbers), salary information, and bank account details. Clop has yet to add GlobalLogic to its leak site, suggesting the company is still negotiating with the threat group or has already paid a ransom. The Washington Post is also among the victims, with nearly 10,000 employees and contractors affected by the data breach. The hackers leveraged a then-zero-day vulnerability in Oracle E-Business Suite software, stole data, and attempted to extort the firm in late September. The compromised data includes full names, bank account numbers and routing numbers, Social Security numbers (SSNs), and tax and ID numbers. Logitech International S.A. confirmed a data breach after a cyberattack by the Clop extortion gang, which exploited a third-party zero-day vulnerability in Oracle E-Business Suite. Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission confirming the data breach. The breach likely includes limited information about employees, consumers, customers, and suppliers, but not sensitive data like national ID numbers or credit card information. Clop added Logitech to its data-leak extortion site, leaking almost 1.8 TB of data allegedly stolen from the company. Logitech confirmed that the breach occurred through a third-party zero-day vulnerability that was patched as soon as a fix was available. Cox Enterprises detected a data breach in late September 2025, which occurred between August 9-14, 2025, due to a zero-day vulnerability in Oracle E-Business Suite. The Cl0p ransomware gang has taken credit for exploiting CVE-2025-61882 as a zero-day vulnerability in Oracle E-Business Suite. The threat actor added Cox Enterprises to their data leak website on the dark web on October 27 and published the stolen information. Cl0p listed 29 new companies as their victims earlier today, including major organizations in the automotive, software, and technology sectors. Cox Enterprises is offering identity theft protection and credit monitoring services through IDX at no cost for 12 months to 9,479 impacted individuals. Canon has confirmed being targeted in the recent Oracle E-Business Suite (EBS) hacking campaign. The incident is limited to a subsidiary of Canon U.S.A., Inc., and only affected the web server. Canon has taken security measures and resumed service, but is continuing to investigate further to ensure that there is no other impact. No Canon data has been leaked at the time of writing. Canon was previously targeted in a ransomware attack back in 2020, where hackers stole employee information from the firm’s systems. More than 100 organizations have been named to date on the Cl0p ransomware website as alleged victims of the campaign. Nearly half of the named organizations are major companies in sectors such as IT and telecoms, heavy industry and manufacturing, healthcare and pharma, retail, automotive and transportation, media, and energy and utilities. The United Kingdom’s National Health Service (NHS) is conducting an investigation but has yet to confirm a data breach. The list of big companies that have yet to publicly confirm a data breach includes Michelin, Broadcom, and Bechtel. Cl0p has been the public-facing group to take credit for the Oracle campaign, but an unknown cluster of a threat actor tracked as FIN11 is believed to be behind the attacks. FIN11 conducted similar campaigns targeting other widely used enterprise products in the past. Organizations are typically not listed on the Cl0p website without cause, but the actual scope of the breach may be exaggerated by the threat actors. Dartmouth College has disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from the school's Oracle E-Business Suite servers on its dark web leak site. The private Ivy League research university, founded in 1769, has an endowment of $9 billion as of June 30, 2025, over 40 academic departments and programs, and more than 4,000 undergraduate students, with a 7:1 undergraduate-to-faculty ratio. In a breach notification letter filed with the office of Maine's Attorney General, Dartmouth says the attackers exploited an Oracle E-Business Suite (EBS) zero-day vulnerability to steal personal information belonging to 1,494 individuals. The total number of people potentially impacted by this data breach is likely much larger, given that the school is headquartered in Hanover, New Hampshire, and it hasn't yet filed a breach notice with the state's Attorney General. "Through the investigation, we determined that an unauthorized actor took certain files between August 9, 2025, and August 12, 2025. We reviewed the files and on October 30, 2025, identified one or more that contained your name and Social Security number," the college says in letters mailed to those affected by the data leak. In a separate appendix filed with Maine's AG, Dartmouth added that the threat actors also stole documents containing the financial account information of impacted individuals. A Dartmouth College spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today regarding the ransom demanded by the Clop gang and the total number of individuals impacted by the breach. The incident is part of a much larger extortion campaign in which the Clop ransomware gang has exploited a zero-day flaw (CVE-2025-61882) since early August 2025 to steal sensitive files from many victims' Oracle EBS platforms. While Clop has yet to disclose the total number of impacted organizations, Google Threat Intelligence Group chief analyst John Hultquist has told BleepingComputer that dozens of organizations were likely breached. The extortion group has also targeted Harvard University, The Washington Post, Logitech, GlobalLogic, and American Airlines subsidiary Envoy Air in this campaign, with their data also leaked online and now available for download via Torrent.

Open in new tab