University of Pennsylvania probes mass email breach

The University of Pennsylvania is investigating fraudulent mass emails Friday from accounts tied to its Graduate School of Education that hit students, staff, alumni and others with offensive messages and threats to leak data.

Penn posted a site banner warning that “a fraudulent email is currently being circulated” appearing to come from a Penn GSE account. The Office of Information Security said its incident response team is actively addressing the situation and advised the community to disregard or delete the messages.

The Daily Pennsylvanian reported the emails were sent from multiple university-affiliated addresses and contained slurs and claims about leaking student data. School and college IT offices told their communities they were working to block further messages and asked users to mark them as phishing or spam.

TechCrunch said messages came from various @upenn.edu accounts tied to Penn GSE. A university spokesperson called them “obviously a fake.” The university has not confirmed any data exposure.

An internal note cited by the student newspaper said the Annenberg School had not been hacked and suggested an external mailing list may have been abused, an assessment still under review.

Gmail screenshot showing subject “We got hacked (Important)” and a Penn GSE–branded message addressed to the Penn community; some details are blacked out and the body contains offensive claims. — Redacted screenshot of a fraudulent mass email sent via compromised University of Pennsylvania accounts, using Penn GSE branding and distributed to the Penn community. Credit: TechCrunch (screenshot).

Similar account-takeover or list-abuse blasts have hit other campuses this year. Marshall University said mass phishing emails were sent from a compromised account in May. Metropolitan State University of Denver reported an attack that sent about 250,000 malicious emails in January. The University at Buffalo warned of phishing from compromised UB accounts pushing fake Zoom invites in July. Microsoft separately detailed a “Payroll Pirates” campaign that hijacked university accounts and used them to email nearly 6,000 addresses at 25 institutions.

Outside the United States, Western Sydney University in Australia said fraudulent emails told students and graduates their degrees were “revoked” and they were excluded from study; the university notified police and later linked the emails to previously stolen data.

Penn has long warned about phishing on campus, publishing examples and guidance on reporting suspicious emails to the Office of Information Security.

Penn is an Ivy League university in Philadelphia with 29,109 students in fall 2024.

Penn says incident response is ongoing. The university asked recipients to delete the messages and contact local IT support if new variants appear. No timeline for resolution or details on account resets were provided.