Moody Bible Institute Data Breach Exposes 2.3 Million Email Addresses
Moody Bible Institute is investigating a cybersecurity incident after personal data tied to the organization appeared in a public breach listing. According to Have I Been Pwned, the incident exposed more than 2.3 million unique email addresses, along with other personal information connected to donors, supporters, students, and alumni.
The public notice from Moody Bible Institute says the organization implemented security protocols after cyber criminals claimed they accessed certain internal systems. Moody also said it brought in internal and external cybersecurity experts to investigate the matter and assess the potential impact.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The exposed data goes beyond email addresses. The breach listing includes names, phone numbers, physical addresses, dates of birth, genders, and marital statuses. That mix of details can help criminals build convincing phishing messages and attempt identity fraud.
What happened at Moody Bible Institute?
The incident became public in June 2026, when CyberInsider reported that Moody Bible Institute had appeared on a dark web extortion site linked to ShinyHunters. The threat actor claimed it had stolen more than 23 GB of data from the Chicago-based Christian higher education organization.
The claims mentioned data connected to enrollment, donor relations, payroll, and communications systems. Moody has not published a full technical breakdown of how the incident happened, but its statement confirms that it started an investigation after cyber criminals claimed they had accessed internal systems.
Moody Bible Institute said it acted immediately after learning of the claims. The institute has not yet shared a final number of affected individuals in its own notice, but the public breach record lists millions of exposed email addresses.
Key details about the Moody Bible Institute breach
| Detail | Current information |
|---|---|
| Organization | Moody Bible Institute |
| Reported breach period | June 2026 |
| Threat actor linked to the incident | ShinyHunters |
| Exposed email addresses | More than 2.3 million |
| Affected groups | Donors, supporters, students, and alumni |
| Known exposed data types | Names, emails, phone numbers, physical addresses, dates of birth, genders, and marital statuses |
How the incident fits a wider ShinyHunters campaign
The Moody incident also comes during a broader wave of attacks against education and enterprise systems. Google Cloudโs Mandiant and Google Threat Intelligence Group said they identified an active compromise and extortion campaign attributed to UNC6240, also known as ShinyHunters, targeting Oracle PeopleSoft application infrastructure between May 27 and June 9, 2026.
Oracle separately issued an Oracle Security Alert for CVE-2026-35273, a vulnerability in Oracle PeopleSoft PeopleTools. Oracle said the flaw can be exploited remotely without authentication and may allow remote code execution if successfully exploited.
The NVD record lists Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 as affected and gives the vulnerability a CVSS 3.1 base score of 9.8. That score places it in the critical range.
What information was exposed?
The exposed Moody Bible Institute records contain several types of personally identifiable information. This makes the breach more serious than a simple email leak because attackers can combine different fields to create more believable scams.
- Full names
- Email addresses
- Phone numbers
- Physical addresses
- Dates of birth
- Genders
- Marital statuses
Criminals often use this kind of information to personalize phishing emails, impersonate trusted organizations, or pressure victims into sharing more data. Messages that reference donations, student records, alumni activity, or faith-based community ties may appear more convincing to affected individuals.
Why the Moody Bible Institute breach matters
The breach matters because Moody Bible Institute has relationships with students, alumni, donors, supporters, and ministry partners. Those relationships can give attackers context that makes phishing attempts feel familiar and legitimate.
The same report said the attackers claimed the stolen data came from several institutional systems. If even part of those claims overlaps with confirmed exposed records, affected people may face a higher risk of targeted social engineering.
The broader campaign also appears to have focused heavily on higher education. The Google Cloud analysis said Google notified more than 100 global organizations with potentially vulnerable endpoints, and 68 percent operated in higher education.
What affected people should do now
People who donated to Moody Bible Institute, studied there, worked with the organization, or had any previous relationship with it should treat unexpected messages carefully. Attackers may use leaked personal details to make emails, texts, or calls look more credible.
- Check whether your email appears in public breach notification services.
- Change reused passwords on any account connected to the exposed email address.
- Turn on multi-factor authentication for email, banking, cloud storage, and social accounts.
- Watch for messages that mention donations, student records, alumni activity, or Moody Bible Institute.
- Monitor credit reports and financial accounts for unusual activity.
Organizations running PeopleSoft should also review their exposure. The Oracle advisory recommends immediate action to address CVE-2026-35273, while the NVD entry notes that the issue affects confidentiality, integrity, and availability.
What remains unclear
Moody Bible Institute has not published a complete technical report explaining the initial access method, the full number of affected people, or whether specific internal systems were confirmed as compromised. The investigation may clarify those points later.
For now, the safest assumption for anyone connected to Moody is that exposed personal data may be used in phishing, identity theft attempts, or account takeover campaigns. The most useful immediate steps are to secure accounts, avoid trusting unsolicited messages, and watch for suspicious financial activity.
FAQ
Have I Been Pwned lists more than 2.3 million unique email addresses in the Moody Bible Institute breach. Moody has not published its own final affected-person count in the public notice.
The exposed records include names, email addresses, phone numbers, physical addresses, dates of birth, genders, and marital statuses. The data relates to donors, supporters, students, and alumni.
The breach has been linked to ShinyHunters, a financially motivated extortion group associated with data theft and leak threats. Public reporting connected the Moody incident to a ShinyHunters leak site.
Affected people should change reused passwords, enable multi-factor authentication, monitor financial accounts and credit reports, and treat unexpected messages about Moody Bible Institute with caution.
Public reports and threat intelligence place the Moody incident in the context of a wider ShinyHunters campaign affecting education organizations. Google and Oracle have separately documented active exploitation of CVE-2026-35273 in Oracle PeopleSoft, but Moody has not publicly confirmed the exact attack vector.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages