Back to Breach Tracker
Website Defacement
CriticalConfirmed

DepEd Tayo Roxas City

Threat actor 'Ch4nc3ll0rx 1337' defaced the DepEd Tayo Roxas City website (depedroxascity.com), dumped 7GB of web directories and 17MB of compressed databases, and claimed a total of 107 related defacements.

March 8, 2026Roxas City, Western Visayas7 GB of data exposed

Key Facts

Date of Incident
March 8, 2026
Date Discovered
March 8, 2026
Data Exposed
7 GB
Source
Ch4nc3ll0rx 1337 (Facebook)
Data Types Exposed
Web directory filesDatabase contentsWebsite content
Response / Action Taken

No official response from DepEd Roxas City as of the date of this report.

What Happened

On or around March 8, 2026, a threat actor using the handle Ch4nc3ll0rx 1337 (also stylized as #ch4nc3ll0rx_1337) publicly announced the defacement of the DepEd Tayo Roxas City website at depedroxascity.com.

The attacker posted their claims on Facebook, providing links to defacement mirrors, data dumps, and a list of 107 total defacements. The home page of depedroxascity.com was replaced with the attacker's message, and an alternative defacement page was placed at depedroxascity.com/BASTOS.html.

What Was Compromised

The attacker claimed to have exfiltrated and made available:

  • 7GB of web directory files — the full contents of the web server's file system
  • 17MB of compressed database dumps — the contents of the site's databases
  • 107 total website defacements — a list of related defaced sites was posted to pasteview.com

The attacker provided Base64-encoded download links for both the web directory dump and the database dumps, stating they would provide passwords for the archives later.

Scope of Attack

This was not an isolated defacement. The threat actor claimed 107 total defacements across multiple targets, with a mirror archive available on ownzyou.com. The DepEd Roxas City site was presented as the primary target, with a "bonus home defacement" showcasing the replaced homepage.

Defacement mirrors were posted to:

  • ownzyou.com (individual mirror and attacker profile)
  • pasteview.com (full list of 107 defacements)

Why This Breach Is Concerning

  • Full server compromise — the exfiltration of 7GB of web directories indicates the attacker had deep access to the server, not just the ability to modify the homepage
  • Database exfiltration — 17MB of compressed database content could contain student records, staff information, administrative data, and other sensitive DepEd information
  • Scale of attack — 107 defacements suggest either automated scanning and exploitation or prolonged access to multiple systems
  • Government education target — DepEd division offices handle sensitive data for students, teachers, and administrative staff across entire city divisions
  • Political motivation — the attacker's message included political commentary about the Philippine government and OFW (Overseas Filipino Workers) protection, indicating hacktivist motivations

How This Type of Attack Works

Website defacement typically involves:

  1. 1.Identifying vulnerabilities in the web application or server — common entry points include outdated CMS platforms, unpatched plugins, weak credentials, or SQL injection flaws
  2. 2.Gaining access to the web server's file system or admin panel
  3. 3.Replacing or modifying the website's front page with the attacker's message
  4. 4.Exfiltrating data — in this case, the attacker went beyond defacement to dump the full web directory and databases, indicating deeper server-level access (likely shell access)
  5. 5.Publishing proof on defacement mirror sites like ownzyou.com and sharing data dumps publicly

Recommended Actions

  1. 1.Take the compromised server offline immediately and migrate to a clean environment — the server should be considered fully compromised
  2. 2.Do not simply restore the website — investigate how the attacker gained access and patch the underlying vulnerability before bringing the site back online
  3. 3.Analyze the exfiltrated databases to determine what sensitive data was exposed (student PII, staff records, credentials, etc.)
  4. 4.Reset all credentials — admin passwords, database passwords, FTP/SSH keys, and any API tokens associated with the server
  5. 5.Notify the NPC within 72 hours if personal data was confirmed in the database dumps, as required under the Data Privacy Act of 2012
  6. 6.Notify affected individuals (students, parents, teachers, staff) if their personal data was in the compromised databases
  7. 7.Conduct a full security audit of all DepEd Roxas City web properties and related infrastructure
  8. 8.Update all software — CMS, plugins, server OS, and web server software should be brought to the latest patched versions
  9. 9.Implement web application firewall (WAF) and intrusion detection systems
  10. 10.Enable regular backups and monitoring to detect future unauthorized changes quickly

Context

DepEd Tayo Roxas City is the Department of Education division office for Roxas City in Capiz province, Western Visayas. Division offices manage educational programs, student data, and teacher records for their respective areas.

The attacker's message included a political statement about protecting OFWs abroad and a dedication to "Mary Anne Velasquez De Vera," suggesting this attack was motivated by hacktivism rather than financial gain. The scale of 107 defacements indicates a coordinated campaign, likely exploiting a common vulnerability across multiple DepEd or government-hosted websites.

Sources & References

  1. [1]
    Defacement Mirror (ownzyou.com) Mirror of the DepEd Roxas City homepage defacement by Ch4nc3ll0rx 1337
  2. [2]
    Attacker Profile (ownzyou.com) Full list of defacement mirrors attributed to Ch4nc3ll0rx 1337
  3. [3]
    Defacement List (pasteview.com) List of 107 defaced websites attributed to Ch4nc3ll0rx 1337
DepEdRoxas CityWestern Visayasdefacementdatabase dumphacktivistCh4nc3ll0rxweb directory dumpconfirmed