Harvard says an attacker gained access to Alumni Affairs and Development systems using a phone-based phishing technique.
Harvard University disclosed that an unauthorized party accessed information systems used by Alumni Affairs and Development after a voice phishing attack on November 18, 2025. According to reporting by BleepingComputer, the compromised systems stored contact details and engagement records for students, alumni, donors, staff, and faculty.
The university said the intrusion allowed the attacker to view information such as email addresses, telephone numbers, home and business addresses, donation history, and event participation records. Harvard confirmed that the affected systems did not store Social Security numbers, passwords, financial account data, or payment card information. Notifications were issued on November 22 to individuals whose information may have been viewed, and the institution is working with federal authorities and external cybersecurity specialists to assess the scope of the incident. Early findings suggest that multiple groups may be affected, including alumni, donors, parents of students, some current students, and some staff members.
Harvard’s Chief Information Officer and the Vice President for Alumni Affairs and Development said the university removed the unauthorized access immediately after detection and began a review of activity within the affected systems. The notification letters advised recipients to stay alert for communications that appear to come from Harvard but request sensitive information. University representatives stated that they could not yet provide an estimate of the number of individuals affected. BleepingComputer previously reported that Harvard had also been listed on a ransomware leak site in October during a separate incident under investigation.
Voice phishing has become a more frequent technique in attacks that target higher-education institutions. A 2024 analysis by Google Cloud’s Threat Intelligence team reported a sharp increase in phishing activity directed at US universities, noting that attackers increasingly blend phone-based social engineering with email lures to obtain credentials and circumvent authentication steps. The report found that adversaries often rely on institutional terminology, caller-ID spoofing, and support-style scripts to appear legitimate, making it easier to request access changes or guide victims toward attacker-controlled login portals.
Large development databases include long-term contact histories, engagement profiles, and sometimes internal notes, which can support social engineering and profiling activities.
Voice phishing relies on real-time interaction, where attackers impersonate internal staff or vendors and pressure the victim to share credentials or approve actions during the call.
Training that covers verification procedures, caller authentication, escalation paths, and rules about never providing credentials by phone helps reduce exposure.
Engagement records help build convincing impersonation scripts, enabling attackers to reference real events, donation amounts, or past interactions to gain trust.
Verify any request through a known official channel, avoid responding directly to unexpected communications, and report unusual activity to the institution’s security office.