HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Moody Bible Institute Exposes 2.3M Donor and Student Records in Pay‑or‑Leak Attack

In June 2026, ShinyHunters stole and published over 2.3 million donor, student and alumni records from Moody Bible Institute. The breach highlights gaps in access‑control and incident‑response practices that SOC 2 programs must evidence and remediate.

LiveThreat™ Intelligence · 📅 July 04, 2026· 📰 haveibeenpwned.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
haveibeenpwned.com

Moody Bible Institute Exposes 2.3M Donor and Student Records in Pay‑or‑Leak Attack

What Happened — In June 2026, the ShinyHunters “pay‑or‑leak” extortion group accessed Moody Bible Institute’s donor, supporter, student and alumni databases. Over 2.3 million unique email addresses and associated personal data (names, physical addresses, phone numbers, dates of birth, gender, marital status) were later published publicly.

Why It Matters for Compliance & Audit Readiness

  • This breach exemplifies a failure to enforce robust access‑control policies (SOC 2 CC6.1) and to monitor privileged activity continuously.
  • The public dump creates a clear audit trail that must be documented as evidence of incident response, notification, and remediation—key components of SOC 2 CC7.1 (Incident Management).
  • Continuous‑compliance programs need to capture the “pay‑or‑leak” vector as a control‑testing scenario to prove that credential hygiene, MFA enforcement, and third‑party risk reviews are effective.

Who Is Affected — Educational & nonprofit institutions that maintain large donor or alumni registries; any organization that stores personally identifiable information (PII) for supporters or members.

Recommended Actions

  • Map the breach to SOC 2 CC6.1 (Logical Access) and CC7.1 (Incident Management) and collect evidence of existing controls (password policies, MFA adoption, privileged‑access logs).
  • Conduct a forensic review to determine how credentials were obtained; update credential‑management procedures and enforce MFA across all accounts.
  • Document the incident response timeline, notifications, and remediation steps to satisfy audit evidence requirements.
  • Review third‑party vendor contracts for data‑handling clauses and ensure continuous monitoring of any external service used for donor management.

Source: Have I Been Pwned – Moody Bible Institute Breach

Technical Notes

  • Attack vector: “pay‑or‑leak” extortion campaign; no specific vulnerability disclosed.
  • Compromised data fields: email address, name, physical address, phone number, date of birth, gender, marital status.
  • No CVE identifiers; breach appears to stem from credential compromise or insider access.
📰 Original Source
https://haveibeenpwned.com/Breach/MoodyBibleInstitute

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →