SYS::ONLINE
Wasteland.
Briefs968
Issues16
SinceFeb 2026
LIVE
▣ Breach MOODY-BIBLE-INSTIT 2026-06-19

Moody Bible Institute: ShinyHunters Data Theft and Extortion

"Moody Bible Institute (MBI), the Chicago-based evangelical higher education organization founded in 1886, says it is investigating claims that its systems were breached after appearing on a dark web extortion site…"

Moody Bible Institute (MBI), the Chicago-based evangelical higher education organization founded in 1886, says it is investigating claims that its systems were breached after appearing on a dark web extortion site operated by the ShinyHunters threat group. The actor alleges it stole more than 23 GB of sensitive data spanning roughly 1,300 files and "tens of millions of records." In a statement, MBI confirmed it is aware of the claim and has engaged cybersecurity experts to assess its validity and impact. No breach has been confirmed, and the actor's claims remain unverified.

What Happened

ShinyHunters listed Moody Bible Institute on its leak and extortion site, a tactic the group routinely uses to pressure victims into paying a ransom under threat of public data release. According to the posting, the group claims to have exfiltrated approximately 23 GB of data drawn from multiple institutional systems, including enrollment, donor relations, payroll, and communications platforms.

MBI responded by confirming awareness of the claim and launching an investigation. In its statement, the institution said: "The Moody Bible Institute of Chicago is aware of a claim of data breach in our system. We have engaged with our cyber security experts to investigate the validity and/or impact of this claim. We will provide more information as they become available." At this stage the institution has not verified that any breach occurred.

What Was Taken

If the actor's claims hold, the exposure is broad and touches data sources across the organization. ShinyHunters specifically references material allegedly sourced from MBI, EDC, Salesforce leads, PeopleSoft communications records, Horizon SIS, WHPD donor databases, and Cadence admissions systems.

The group quantifies the haul as roughly 46 million communication records, 2.2 million enrollment lead records, and more than 108,000 biographical records containing personal details such as addresses and birth dates. The presence of donor databases and payroll systems raises the prospect of financial and personally identifiable information being among the affected data. These figures are the actor's claims and have not been independently validated.

Why It Matters

Faith-based and nonprofit higher education institutions hold a deep well of sensitive data, donor financial relationships, alumni records, student biographical details, and payroll, yet often operate with leaner security budgets than commercial enterprises. That combination makes them attractive, comparatively soft targets for extortion-focused actors.

ShinyHunters has been linked to numerous high-profile data theft and extortion incidents in recent years, frequently weaponizing stolen data as leverage. The named systems point to a multi-platform footprint spanning CRM, SIS, HR, and donor management. The volume of biographical and communication records, if real, creates downstream risk of phishing, fraud, and targeted social engineering against students, alumni, donors, and ministry partners across the United States and abroad.

The Attack Technique

The initial access vector has not been disclosed, and MBI's investigation is ongoing. ShinyHunters has historically favored data theft through compromised credentials, exposed cloud and SaaS instances, and access to third-party platforms such as Salesforce and similar CRM environments rather than ransomware-style encryption.

The breadth of the named sources, ranging from Salesforce and PeopleSoft to admissions and SIS platforms, is consistent with the group's pattern of harvesting data across interconnected enterprise applications, potentially through a single point of compromised access or stolen API and account credentials. Until MBI completes its review, the entry point and scope remain unconfirmed.

What Organizations Should Do

  1. Audit and rotate credentials across SaaS and CRM platforms such as Salesforce, PeopleSoft, and admissions and SIS systems, and enforce phishing-resistant multi-factor authentication on all administrative and integration accounts.
  2. Review third-party and API access tokens, revoking unused or over-permissioned connections that could allow bulk data export.
  3. Implement data loss prevention monitoring and alerting on large or anomalous outbound transfers from donor, payroll, and student record systems.
  4. Segment and minimize data retention so that enrollment leads, biographical records, and communications logs are not retained in bulk beyond operational need.
  5. Prepare breach notification and donor and student communication plans in advance, and engage legal and forensic specialists early when extortion claims surface.
  6. Monitor dark web and extortion sites for organizational mentions, and treat any listing as a trigger for immediate incident response rather than waiting for confirmation.

Sources: Moody Bible Institute investigates potential data breach incident