Full Report
ShinyHunters leaks names, addresses, DOBs, and more after Christian college discloses cyberattack
Analysis Summary
# Incident Report: Moody Bible Institute Data Breach
## Executive Summary
Moody Bible Institute (MBI) suffered a significant data breach orchestrated by the ShinyHunters threat group, resulting in the exposure of 2.3 million accounts. The incident, involving the theft of sensitive personal information and donor records, culminated in a public data leak after extortion demands were likely unmet. MBI has since neutralized the entry point and engaged external experts for forensic recovery.
## Incident Details
- **Discovery Date:** June 2026
- **Incident Date:** June 2026 (Leak occurred June 23, 2026)
- **Affected Organization:** Moody Bible Institute (MBI)
- **Sector:** Education / Non-Profit / Religious
- **Geography:** United States (Headquartered in Chicago, IL)
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-June 2026
- **Vector:** Exploitation of a vulnerability in a web-facing system.
- **Details:** The threat group reportedly targeted MBI via a vulnerability potentially linked to a PeopleSoft breach or a similar software vulnerability utilized in a wider ShinyHunters campaign.
### Lateral Movement
- Details not explicitly disclosed; however, the attackers gained sufficient access to traverse from the initial entry point to databases containing student, alumni, and donor records.
### Data Exfiltration/Impact
- **June 23, 2026:** ShinyHunters uploaded the stolen data to their leak site.
- **Scope:** 2.3 million records containing PII and internal documents.
### Detection & Response
- **June 22, 2026:** MBI issued a public statement regarding a data investigation.
- **June 23, 2026:** Data added to "Have I Been Pwned" (HIBP) database.
- **Response:** MBI tech teams patched the identified vulnerability and engaged third-party cybersecurity firms.
## Attack Methodology
- **Initial Access:** Exploitation of a technical vulnerability (referenced in the context of a PeopleSoft breach).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Potential theft of credentials from PeopleSoft or similar administrative systems.
- **Discovery:** Mapping of databases containing donor, student, and alumni information.
- **Lateral Movement:** Movement within the campus network or cloud environment to reach the publishing and media arm data.
- **Collection:** Gathering of names, DOBs, physical addresses, and marital statuses.
- **Exfiltration:** Transfer of data to ShinyHunters-controlled infrastructure.
- **Impact:** Extortion (Pay-or-leak) and subsequent public disclosure of PII.
## Impact Assessment
- **Financial:** Potential regulatory fines and costs associated with credit monitoring services for 2.3 million individuals.
- **Data Breach:** Exposure of 2.3 million accounts including PII (Names, DOBs, addresses, emails, phone numbers, genders, marital status) and donor relations documents.
- **Operational:** Disruption to IT services during the remediation and forensic investigation phase.
- **Reputational:** High; exposure of sensitive donor and student data can impact future fundraising and enrollment.
## Indicators of Compromise
- **Network indicators:** Activity associated with ShinyHunters leak sites (e.g., hxxps[://]shinyhunters[.]com).
- **File indicators:** Database exports containing "Moody Bible Institute" student and donor schemas.
- **Behavioral indicators:** Large outbound data transfers to non-standard IP ranges; exploitation attempts against PeopleSoft vulnerabilities.
## Response Actions
- **Containment measures:** Addressed and patched the primary vulnerability used for access.
- **Eradication steps:** Deployed external cybersecurity experts to assist in clearing the network of any remaining threats.
- **Recovery actions:** Advised the community to implement credit freezes and fraud alerts; cooperated with breach notification services like HIBP.
## Lessons Learned
- **Vulnerability Management:** Rapid patching of mission-critical software (like PeopleSoft) is essential, as threat groups specifically target known vulnerabilities in these platforms.
- **Communication:** While MBI was transparent about the "investigation," the leak occurred within 24 hours of their statement, suggesting the attackers had completed their cycle before the defense was fully enacted.
- **Data Minimization:** Retaining data on 2.3 million individuals (including alumni and historic donors) increases the blast radius of a breach.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure MFA is enforced across all administrative portals and ERP systems (PeopleSoft).
- **Egress Monitoring:** Implement monitoring for large-scale data transfers to identify exfiltration in real-time.
- **Third-Party Risk Management:** Audit all third-party software for known CVEs on a weekly basis.
- **Incident Response Planning:** Develop a specific playbook for extortion-based attacks to handle communication with threat actors and the public more effectively.