Skip to main content
Emerging ThreatsData Breaches

ShinyHunters Breach Exposes 2.3M Moody Bible Institute Accounts

College setting with laptop on a desk, hinting at vulnerability.

More than 2.3 million records tied to people affiliated with Moody Bible Institute were exposed online after the Christian college was targeted by the extortion group ShinyHunters, a breach that was later added to the Have I Been Pwned database and publicly leaked by the criminals on June 23.

Data elements published in the MBI cache

The files made available for download on June 23, consistent with ShinyHunters' claims, contained a broad set of personally identifiable information: names, genders, dates of birth, physical and email addresses, phone numbers and marital statuses. The leaked cache also included internal documents concerning donor relations and lists or records tied to MBI's supporters, students and alumni.

Have I Been Pwned has since ingested the cache into its breach notification database, producing the 2.3 million-plus figure for exposed accounts.

Moody Bible Institute's public timeline and actions

MBI first disclosed the incident in June and has not spoken publicly since June 22, the day before ShinyHunters published the stolen files. In its public messaging, the organization said its technology team had addressed a vulnerability and that outside cybersecurity experts had been engaged to assist with the incident response.

MBI urged those affiliated with the institute to monitor accounts, and to make use of free credit freezes and fraud alerts until the investigation was completed. The organization framed its response in spiritual terms: "Throughout this process, we are grateful for the Lord's faithfulness and for the dedicated teams and outside experts working tirelessly to protect our ministry and those we serve," MBI said. "We are confident that God remains sovereign over every circumstance, and we trust Him to grant wisdom and discernment as we navigate this situation together."

ShinyHunters' 2026 campaign and prior alerts

The Moody Bible Institute incident is one of many attributed to ShinyHunters in 2026. The group's public leak site listed 86 victims since January, though that total may understate the true toll because organizations that paid extortion demands can be removed from the list. ShinyHunters has been linked to earlier high-profile intrusions involving Salesforce, Carnival and Pitney Bowes, and has claimed an Oracle PeopleSoft campaign it said affected more than 100 organizations—citing a PeopleSoft breach in the materials about the MBI attack.

National security alerts were issued earlier in the year following ShinyHunters' compromise of the learning platform Canvas, which the group said affected an estimated 275 million students. The pattern of public leaks and prior alerts helps explain why the MBI files were added quickly to Have I Been Pwned and why the incident drew immediate attention from outside researchers.

What this means for donors, students, and alumni

  • Donors and supporters: Documents concerning donor relations were included in the cache, which raises the possibility of targeted solicitations or fraud attempts using donor data. Those named in donor-related documents were among the groups MBI advised to monitor accounts.
  • Students and alumni: The leaked records encompassed students and alumni lists; MBI said more than 250,000 students have studied at the institute since its founding in 1886, underscoring the size of its historic community that could be affected.
  • Radio listeners and publishing customers: MBI operates Moody Radio and a publishing arm; supporters connected to those ministries were included in the general description of exposed "supporters" and related documents in the cache.

Evidence of extortion and unanswered operational questions

ShinyHunters is known for "pay‑or‑leak" extortion operations, and the public leak of MBI data suggests the group's extortion demands were not met in this case. MBI itself did not explicitly confirm whether it negotiated with the criminal group. The institute's public statements focus on remediation and engagement of external cybersecurity expertise rather than on details of any negotiation or ransom decision.

The breach joins a series of publicly documented ShinyHunters incidents in 2026 and amplifies concerns about high-volume leaks that include both standard personally identifiable information and internal institutional records. MBI’s call for free credit freezes and fraud alerts signals the practical next steps for affected individuals, while the addition of the cache to Have I Been Pwned gives people a way to learn whether their accounts appear in the published files.

As MBI continues its investigation with outside experts, the core facts remain: a June disclosure, a June 23 public leak, a cache containing millions of records and donor-related documents, and a broader criminal campaign that has already prompted national security alerts earlier in the year. Whether that broader campaign will prompt additional, public-facing action by MBI or others on the ShinyHunters list is a question the timeline has yet to answer.

Original story on The Register