Moody Bible Institute Data Breach Exposes 2.3 Million Email Addresses


Moody Bible Institute is investigating a cybersecurity incident after personal data tied to the organization appeared in a public breach listing. According to Have I Been Pwned, the incident exposed more than 2.3 million unique email addresses, along with other personal information connected to donors, supporters, students, and alumni.

The public notice from Moody Bible Institute says the organization implemented security protocols after cyber criminals claimed they accessed certain internal systems. Moody also said it brought in internal and external cybersecurity experts to investigate the matter and assess the potential impact.

The exposed data goes beyond email addresses. The breach listing includes names, phone numbers, physical addresses, dates of birth, genders, and marital statuses. That mix of details can help criminals build convincing phishing messages and attempt identity fraud.

What happened at Moody Bible Institute?

The incident became public in June 2026, when CyberInsider reported that Moody Bible Institute had appeared on a dark web extortion site linked to ShinyHunters. The threat actor claimed it had stolen more than 23 GB of data from the Chicago-based Christian higher education organization.

The claims mentioned data connected to enrollment, donor relations, payroll, and communications systems. Moody has not published a full technical breakdown of how the incident happened, but its statement confirms that it started an investigation after cyber criminals claimed they had accessed internal systems.

Moody Bible Institute said it acted immediately after learning of the claims. The institute has not yet shared a final number of affected individuals in its own notice, but the public breach record lists millions of exposed email addresses.

Key details about the Moody Bible Institute breach

DetailCurrent information
OrganizationMoody Bible Institute
Reported breach periodJune 2026
Threat actor linked to the incidentShinyHunters
Exposed email addressesMore than 2.3 million
Affected groupsDonors, supporters, students, and alumni
Known exposed data typesNames, emails, phone numbers, physical addresses, dates of birth, genders, and marital statuses

How the incident fits a wider ShinyHunters campaign

The Moody incident also comes during a broader wave of attacks against education and enterprise systems. Google Cloudโ€™s Mandiant and Google Threat Intelligence Group said they identified an active compromise and extortion campaign attributed to UNC6240, also known as ShinyHunters, targeting Oracle PeopleSoft application infrastructure between May 27 and June 9, 2026.

Oracle separately issued an Oracle Security Alert for CVE-2026-35273, a vulnerability in Oracle PeopleSoft PeopleTools. Oracle said the flaw can be exploited remotely without authentication and may allow remote code execution if successfully exploited.

The NVD record lists Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 as affected and gives the vulnerability a CVSS 3.1 base score of 9.8. That score places it in the critical range.

What information was exposed?

The exposed Moody Bible Institute records contain several types of personally identifiable information. This makes the breach more serious than a simple email leak because attackers can combine different fields to create more believable scams.

  • Full names
  • Email addresses
  • Phone numbers
  • Physical addresses
  • Dates of birth
  • Genders
  • Marital statuses

Criminals often use this kind of information to personalize phishing emails, impersonate trusted organizations, or pressure victims into sharing more data. Messages that reference donations, student records, alumni activity, or faith-based community ties may appear more convincing to affected individuals.

Why the Moody Bible Institute breach matters

The breach matters because Moody Bible Institute has relationships with students, alumni, donors, supporters, and ministry partners. Those relationships can give attackers context that makes phishing attempts feel familiar and legitimate.

The same report said the attackers claimed the stolen data came from several institutional systems. If even part of those claims overlaps with confirmed exposed records, affected people may face a higher risk of targeted social engineering.

The broader campaign also appears to have focused heavily on higher education. The Google Cloud analysis said Google notified more than 100 global organizations with potentially vulnerable endpoints, and 68 percent operated in higher education.

What affected people should do now

People who donated to Moody Bible Institute, studied there, worked with the organization, or had any previous relationship with it should treat unexpected messages carefully. Attackers may use leaked personal details to make emails, texts, or calls look more credible.

  1. Check whether your email appears in public breach notification services.
  2. Change reused passwords on any account connected to the exposed email address.
  3. Turn on multi-factor authentication for email, banking, cloud storage, and social accounts.
  4. Watch for messages that mention donations, student records, alumni activity, or Moody Bible Institute.
  5. Monitor credit reports and financial accounts for unusual activity.

Organizations running PeopleSoft should also review their exposure. The Oracle advisory recommends immediate action to address CVE-2026-35273, while the NVD entry notes that the issue affects confidentiality, integrity, and availability.

What remains unclear

Moody Bible Institute has not published a complete technical report explaining the initial access method, the full number of affected people, or whether specific internal systems were confirmed as compromised. The investigation may clarify those points later.

For now, the safest assumption for anyone connected to Moody is that exposed personal data may be used in phishing, identity theft attempts, or account takeover campaigns. The most useful immediate steps are to secure accounts, avoid trusting unsolicited messages, and watch for suspicious financial activity.

FAQ

How many people were affected by the Moody Bible Institute data breach?

Have I Been Pwned lists more than 2.3 million unique email addresses in the Moody Bible Institute breach. Moody has not published its own final affected-person count in the public notice.

What information was exposed in the Moody Bible Institute breach?

The exposed records include names, email addresses, phone numbers, physical addresses, dates of birth, genders, and marital statuses. The data relates to donors, supporters, students, and alumni.

Who is linked to the Moody Bible Institute data breach?

The breach has been linked to ShinyHunters, a financially motivated extortion group associated with data theft and leak threats. Public reporting connected the Moody incident to a ShinyHunters leak site.

What should affected Moody Bible Institute users do?

Affected people should change reused passwords, enable multi-factor authentication, monitor financial accounts and credit reports, and treat unexpected messages about Moody Bible Institute with caution.

Is the Moody Bible Institute breach connected to Oracle PeopleSoft?

Public reports and threat intelligence place the Moody incident in the context of a wider ShinyHunters campaign affecting education organizations. Google and Oracle have separately documented active exploitation of CVE-2026-35273 in Oracle PeopleSoft, but Moody has not publicly confirmed the exact attack vector.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages