Full Report
In June 2026, Moody Bible Institute was targeted by a ShinyHunters "pay or leak" extortion campaign. Over 2.3M unique email addresses and other personal data were later published publicly, including names, physical addresses, phone numbers, dates of birth and other information relating to donors, supporters, students and alumni. In their disclosure notice, Moody advised that they had "engaged both internal and external cybersecurity experts to thoroughly investigate the matter".
Analysis Summary
# Incident Report: Moody Bible Institute Data Breach (ShinyHunters Extortion)
## Executive Summary
In June 2024, the Moody Bible Institute was targeted by the threat actor group "ShinyHunters" in a "pay or leak" extortion campaign. The incident resulted in the exfiltration and subsequent public leak of a database containing 2.3 million unique records belonging to donors, students, and alumni. The organization engaged third-party experts to investigate, while the data was eventually published on public forums after extortion demands were likely unmet.
## Incident Details
- **Discovery Date:** June 2026
- **Incident Date:** June 2026
- **Affected Organization:** Moody Bible Institute
- **Sector:** Education / Non-Profit / Religious
- **Geography:** United States (Chicago, IL)
## Timeline of Events
### Initial Access
- **Date/Time:** June 2026
- **Vector:** Not explicitly disclosed (Likely credential compromise or cloud misconfiguration, typical of ShinyHunters' TTPs).
- **Details:** The threat actor group ShinyHunters gained access to sensitive databases containing constituent information.
### Lateral Movement
- **Details:** Information not publicly disclosed in the notice; however, the attackers successfully moved from the initial entry point to database environments harboring donor and student records.
### Data Exfiltration/Impact
- **Details:** Over 2.3 million unique records were exfiltrated. Following a "pay or leak" ultimatum, the data was published publicly in July 2026 after the institute moved into the investigation phase.
### Detection & Response
- **How it was discovered:** Likely via an extortion demand from the threat actors or discovery of the data on a leak forum.
- **Response actions taken:** Moody Bible Institute engaged internal and external cybersecurity experts to conduct a forensic investigation and issued a formal disclosure notice to affected parties.
## Attack Methodology
*Note: Some fields are inferred based on the known tactics of the identified threat actor (ShinyHunters).*
- **Initial Access:** Often involves compromised API keys, stolen credentials, or misconfigured cloud storage (AWS S3/Azure).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Likely used to access the primary database or administrative panels.
- **Discovery:** Database enumeration to identify PII (Personally Identifiable Information).
- **Lateral Movement:** Not disclosed.
- **Collection:** Automated scripts to dump database contents.
- **Exfiltration:** Transfer of 2.3M records to attacker-controlled infrastructure.
- **Impact:** Data exfiltration and public extortion ("Pay or Leak").
## Impact Assessment
- **Financial:** Undisclosed; costs involve forensic fees, legal counsel, and potential regulatory fines.
- **Data Breach:** High. 2.3 million records including Names, DOBs, Physical Addresses, Phone Numbers, Genders, and Marital Statuses.
- **Operational:** Diversion of IT resources to incident response and remediation.
- **Reputational:** High. Public leak of donor and supporter information can degrade trust in fundraising efforts.
## Indicators of Compromise
- **Network indicators:** hXXps://www[.]moodybible[.]org/news/2026/data-investigation/ (Official Disclosure)
- **File indicators:** Database dumps frequently labeled under "ShinyHunters" on breach forums.
- **Behavioral indicators:** Large-scale data egress to unknown external IP addresses; unauthorized access to cloud storage buckets.
## Response Actions
- **Containment measures:** Forensic investigation by internal and external experts.
- **Eradication steps:** Not disclosed, but standard procedure involves rotating all database and cloud credentials.
- **Recovery actions:** Reporting the breach to "Have I Been Pwned" and notifying affected individuals via disclosure notices.
## Lessons Learned
- **Key takeaways:** High-volume constituent databases are primary targets for extortion groups even in the non-profit/religious sector.
- **What could have been done better:** Implementation of stricter access controls (MFA) on all database environments and more robust monitoring for large data egress events might have caught the exfiltration in progress.
## Recommendations
- **Zero Trust Architecture:** Implement strict "Least Privilege" access to databases containing PII.
- **Multi-Factor Authentication (MFA):** Enforce Phishing-resistant MFA on all administrative and cloud environment logins.
- **Data Encryption:** Ensure PII is encrypted at rest and in transit to limit the usability of stolen data.
- **Egress Monitoring:** Implement Data Loss Prevention (DLP) tools to alert on the unauthorized transfer of large datasets.