ShinyHunters Expose 2.3 Million Records From Moody Bible Institute in Latest Pay-or-Leak Assault

ShinyHunters leaked personal data on 2.3 million people linked to Moody Bible Institute after the Christian college declined to pay extortion demands. Names, addresses, dates of birth and more from students, donors and alumni are now public. The June incident highlights ongoing risks to educational and faith-based organizations from repeat attackers. Moody engaged cybersecurity experts and continues its investigation.
ShinyHunters Expose 2.3 Million Records From Moody Bible Institute in Latest Pay-or-Leak Assault
Written by Eric Hastings

Chicago’s Moody Bible Institute learned the hard way last month that even faith-based organizations aren’t spared from the reach of opportunistic cyber extortionists. Data belonging to more than 2.3 million individuals tied to the Christian college, radio network and publishing house now sits freely available online. Names. Addresses. Dates of birth. Phone numbers. The works.

ShinyHunters, the same group behind a string of high-profile attacks this year, added Moody to its leak site in mid-June. When the institution didn’t pay, the files went public. Have I Been Pwned incorporated the breach on July 3, confirming the scale. The timing couldn’t be worse for an organization built on trust and donor relationships.

Moody disclosed the incident on June 22. Its statement struck a tone of cautious transparency mixed with scriptural reassurance. “Our Information Technologies Services team immediately implemented security protocols to address the vulnerability and engaged both internal and external cybersecurity experts to thoroughly investigate the matter and assess its potential impact,” the school said, per its official notice. The investigation continues. Details on exactly what was taken remain incomplete.

Yet the leaked material tells its own story. The cache includes names, genders, dates of birth, physical and email addresses, phone numbers and marital statuses. Documents touch on donor relations, supporters, current students and alumni. Some reports put the haul at 23 gigabytes, encompassing 46 million communication records, 2.2 million enrollment leads and over 100,000 biodemographic files. The figures come from threat intelligence platforms that tracked ShinyHunters’ claims.

Extortion campaigns meet faith-based targets with growing frequency.

ShinyHunters has compiled quite the rap sheet in 2026. The group hit Salesforce customers, Carnival Cruise Line, Pitney Bowes and even claimed a campaign against Oracle PeopleSoft installations that touched more than 100 organizations. One of those PeopleSoft exploits reportedly played a role in the Moody breach, according to multiple analyses. Earlier this year the gang also targeted the Canvas learning platform, exposing records linked to an estimated 275 million students. National security alerts followed that one.

The pattern is clear. Identify a vulnerable system. Exfiltrate. Demand payment. Leak if ignored. Moody appears to have chosen the latter path. No public evidence suggests the school negotiated with the attackers. Its June 22 update made no mention of ransom. Instead it advised affected individuals to watch their accounts closely, consider credit freezes and set up fraud alerts while the probe unfolded.

“Throughout this process, we are grateful for the Lord’s faithfulness and for the dedicated teams and outside experts working tirelessly to protect our ministry and those we serve,” Moody added in the statement. “We are confident that God remains sovereign over every circumstance, and we trust Him to grant wisdom and discernment as we navigate this situation together.” The language resonates with the institution’s 140-year history. Founded in 1886, Moody has trained more than 250,000 students for ministry work. It operates undergraduate and graduate programs, an aviation track with theology components, Moody Radio and a publishing division focused on Christian literature.

But spiritual framing doesn’t shield against identity theft. Or phishing campaigns tailored to older donors. Or the long-term erosion of confidence among alumni and financial supporters. A cyber expert quoted in The Register put it bluntly. Those 2.3 million accounts now need salvation. The remark captures the scale. It also hints at the human cost.

Recent coverage adds fresh perspective. CyberSecurityNews reported today that the breach exposes 2.3 million users’ personal data, reinforcing the link to ShinyHunters’ “pay or leak” tactics. Similar details appeared in CyberPress within the last few hours. The speed with which the story spread on X reflects heightened interest in attacks on educational and nonprofit targets.

Law firms have taken notice too. Several announced investigations into potential class-action lawsuits. They cite risks of identity theft and unauthorized access to sensitive records. Whether those suits gain traction depends on what Moody’s ongoing investigation ultimately reveals. The school has stayed largely silent since late June. That quiet leaves room for speculation.

And speculation abounds. Was the entry point a known Oracle PeopleSoft vulnerability? Multiple sources tie ShinyHunters’ broader campaign to exploits in that platform. Google’s Threat Analysis Group previously flagged the group’s activity in the education sector. Moody’s mix of legacy systems, online course platforms and donor databases likely presented an attractive target. Complex environments. Multiple ministries under one umbrella. The attack surface is broad.

So what happens next? Affected parties should check their status on Have I Been Pwned. Change passwords. Enable multifactor authentication everywhere possible. Monitor financial accounts. Treat unsolicited messages referencing Moody with suspicion. Basic steps. Yet they matter when the data includes enough personal details to fuel convincing social engineering.

Moody’s response so far emphasizes external expertise and internal remediation. It urges vigilance. The institution’s statement acknowledges the complexity of the probe. Many details still need clarification. That honesty is refreshing in an industry often criticized for vague disclosures. But it also underscores how much remains unknown. How deep did the intruders go? What exactly did they copy? Were any payment or financial records involved beyond what’s already public?

The incident fits a larger trend. Cybercriminals increasingly view universities, colleges and affiliated nonprofits as soft targets. Valuable personal data. Sometimes research information. Often weaker defenses than pure commercial enterprises. ShinyHunters’ 86 listed victims this year alone, with the real total likely higher among those who paid quietly, illustrate the volume.

Yet Moody stands out. Its mission centers on faith, education and global outreach. The breach strikes at the heart of that work. Donors may think twice. Students and alumni could worry about long-term privacy. The radio audience and publishing customers might question data handling practices. Trust, once damaged, is difficult to restore.

Security teams at similar organizations are no doubt reviewing their own Oracle deployments and donor databases right now. The PeopleSoft connection, if confirmed, should prompt urgent patching and segmentation reviews. External incident response firms will stay busy. The cycle continues.

Moody Bible Institute built its reputation over more than a century on reliability and purpose. This breach tests that foundation in new ways. The coming weeks will show how the institution balances its theological outlook with the practical demands of cybersecurity in an age where no sector is truly sacred.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us