What Happened
On May 3, 2026, the joint Facebook account NSP & DNH — branded as a collaboration between Nullsec Philippines and Deathnote Hackers International — publicly posted a claim of breach against the DepEd training platform hosted at `training.deped.gov.ph`.
The post included:
- A motive statement framing the breach as a protest against the Department of Education's handling of bullying in public schools, and against the condition of public-school facilities relative to DepEd's stated annual budget
- A file listing with the following metadata:
- File Type: CSV (plain text)
- Lines: 999,995
- Origin: `training.deped.gov.ph`
- Includes: CITY, COUNTRY, STATUS, ID, FULLNAMES, EMAILS, PROFILE LINK
- Multiple identical gofile.io download links pointing to the same archive
- An attribution line co-crediting Deathnote Hackers International (DNH), Klammer, and Nullsec Philippines
The post was accompanied by an image titled "SMILE" (a defaced-style poster) consistent with the visual branding the collective uses on other defacement claims tracked on this site.
Independent Corroboration
1. Deep Web Konek (DWK) dataset validation
On May 3, 2026, the cybersecurity research and advocacy organization Deep Web Konek (DWK) — a Manila-based monitoring group whose prior reporting has been cited in earlier entries on this site, including the DepEd Cordillera Administrative Region breach (November 2025) — published a news item titled "News: Nearly 1M DepEd Records Allegedly Exposed in Training Platform Breach, Claimed by NullSec Philippines." DWK reported that its team conducted an initial validation of the circulated dataset and supporting images, and reported the following findings:
- Record count alignment. The dataset's row count aligns closely with the threat actor's claimed volume of 999,995
- Internal email-field breakdown. Approximately 874,770 entries without email values and approximately 125,224 entries with valid email addresses, totaling nearly one million users — a structural detail not present in the original threat-actor post
- Schema consistency. The format and schema are consistent with structured institutional databases, and sample entries display realistic naming patterns
- DWK assessment. The dataset is assessed as "likely authentic with strong internal consistency," while DWK explicitly notes that "full forensic confirmation of system origin remains ongoing"
- DWK overall classification. DWK characterizes the breach as "credible and high-impact" and states it is continuing to monitor developments
- Operational attribution. DWK attributes the operation to NullSec Philippines as primary, with Deathnote Hackers International acting "primarily as an amplifier to widen reach and visibility" — consistent with our reading of the joint NSP & DNH posting pattern
DWK is not a media outlet in the traditional sense, but it is an established cybersecurity research and advocacy organization whose validation work is cited elsewhere on this site. Their independent review materially strengthens the credibility of the underlying claim beyond what could be inferred from the threat-actor post alone, while stopping short of full forensic confirmation.
2. Platform is offline
As of May 3, 2026, SchoolBreach.org's editorial team independently observed that `training.deped.gov.ph` is no longer reachable — the domain is returning a Cloudflare error rather than the usual training-platform interface. The platform has been pulled offline within hours of a public ~1M-record breach claim against the same URL, confirming that DepEd's IT operations team is aware of and acting on the situation.
While DepEd has not yet issued a public statement at the time of this entry, the platform being taken offline is a clear operational acknowledgment that distinguishes this claim from the many threat-actor posts that go publicly unanswered. The same pattern of "platform offline before any public statement" was previously observed in the MBHTE Bangsamoro breach (March 31, 2026), where the affected ministry's website was suspended by the hosting provider before any official statement was made.
What Is and Isn't Confirmed
Confirmed from the post itself:
- The threat actor publicly named DepEd's training subdomain (`training.deped.gov.ph`) as the source of the leaked data
- The threat actor published a downloadable CSV file with claimed row count of 999,995
- The threat actor named the columns of the file (FULLNAMES, EMAILS, PROFILE LINK, USER ID, STATUS, CITY, COUNTRY) — categories consistent with a user-account export from a learning-management or training platform
- The post is signed jointly by Nullsec Philippines and Deathnote Hackers International, two threat-actor groups with prior public defacement and data-leak claims against Philippine institutions
Confirmed by independent third-party review (Deep Web Konek, May 3, 2026):
- The dataset's row count aligns closely with the claimed 999,995
- Internal email-field structure: ~874,770 entries without email values, ~125,224 with valid email addresses
- Schema and format are consistent with structured institutional databases
- Sample entries display realistic naming patterns
- DWK overall assessment: "likely authentic with strong internal consistency" and "credible and high-impact"
- DWK additionally observed that `training.deped.gov.ph` is offline, consistent with our independent observation
Confirmed by SchoolBreach.org editorial team:
- `training.deped.gov.ph` has been pulled offline and is returning a Cloudflare error rather than the usual training-platform interface (May 3, 2026)
Not yet confirmed:
- The vulnerability class used to obtain the data (SQL injection, exposed admin endpoint, credential compromise, third-party processor leak, etc.) — the actor did not describe the technical mechanism, and DWK's review did not identify it
- Whether the records correspond to teachers, administrators, students, or some combination — the column list (FULLNAMES, EMAILS, PROFILE LINK) is consistent with educator-account schemas typical of training and certification platforms but is not, on its own, dispositive
- Whether DepEd has issued any official statement, has notified the National Privacy Commission, or has begun publicly-disclosed remediation
This entry is tracked as confirmed based on the combination of DWK's independent dataset validation ("likely authentic with strong internal consistency," "credible and high-impact") and the operator's own response: `training.deped.gov.ph` has been pulled offline and is now returning a Cloudflare error rather than its usual interface. Together these constitute independent corroboration that a real incident affecting the named platform is in progress. Severity is recorded as critical based on the magnitude (≈1M rows of personally identifiable information including names, emails, and account identifiers).
Attacker
The post was published under the joint banner NSP & DNH:
- Nullsec Philippines (NSP) — a Filipino hacktivist collective documented across many entries on this site, most recently the MIMAROPA state university MIS defacement (May 2), the Laguna technical-institute off-domain claim (May 2), the San Juan, Batangas Catholic K-12 claim (May 1), the Rosario, Batangas private school claim (April 28), and the Cebu City private university subdomain defacement (April 1)
- Deathnote Hackers International (DNH) — co-credited under the alias Klammer
The collaboration is notable: previous Nullsec Philippines posts have credited related handles (Fawkes Pilipinas, Crypt0nymz) but have not co-branded with Deathnote Hackers International on a unified Facebook account. The use of a joint NSP & DNH page suggests an ongoing operational alliance between the two groups against Philippine government targets.
Why This Matters
- Government education ministry — DepEd is the Philippine Department of Education, the country's largest public-sector employer and the steward of personal data for tens of millions of students, teachers, and staff. A leak from any DepEd platform is by definition national in scope
- Roughly one-million-row leak — if the file is authentic, this is one of the largest single-incident DepEd leaks tracked on this site, on the same order as the DepEd Division of Laguna database leak (7M+ records) and the DepEd Cordillera Administrative Region leak (6M+ records)
- Personal data with re-use risk — names paired with email addresses and account identifiers are directly usable for credential-stuffing and targeted phishing against the affected accounts
- Public download distribution — the use of gofile.io for distribution means the file remains downloadable until the host removes it; copies will continue to circulate after takedown
- Hacktivist motive framing — the explicit policy motive (bullying, facility budgets) signals continued targeting; this is unlikely to be the last DepEd-related claim from this collaboration
Recommended Actions for DepEd
- 1.Verify the leak immediately — obtain a copy of the CSV through trusted channels and compare against known training-platform user records to determine authenticity and scope
- 2.Take `training.deped.gov.ph` offline pending investigation — a maintenance page is preferable to leaving a known-attacked platform reachable while the access vector is being scoped
- 3.Force credential resets for every account on the training platform, and for any account that may have re-used the same password elsewhere in DepEd's systems
- 4.Preserve logs immediately — at minimum the past 90 days of web, application, database, and authentication logs for the training subdomain, before they age out
- 5.Notify the National Privacy Commission (NPC) within 72 hours under RA 10173 — a leak of approximately one million personal-data records, if confirmed, far exceeds the materiality threshold for mandatory notification
- 6.Notify affected users — once the data has been authenticated and reviewed, those whose names and emails appear in the file should be notified directly so they can reset reused passwords and watch for targeted phishing
- 7.Coordinate with the gofile.io abuse channel — request takedown of the public download links, while recognizing copies of the data are likely already in circulation
- 8.Issue a public statement — silence in the face of a one-million-record claim against a DepEd platform creates space for misinformation and erodes public trust; a short factual update is preferable to silence even before the investigation is complete
Sources & References
All sources are independently verified. Access dates and archive links are recorded for each citation.
- [1]NSP & DNH joint claim post (Facebook) — Joint Nullsec Philippines × Deathnote Hackers International Facebook post claiming a 999,995-row CSV exfiltrated from training.deped.gov.ph, with multiple gofile.io download links and a hacktivist motive statement on bullying and school facilities (May 3, 2026).Accessed: May 3, 2026
- [2]Deep Web Konek — Nearly 1M DepEd Records Allegedly Exposed in Training Platform Breach — Independent review by Deep Web Konek validating the dataset's record count, schema consistency, and internal email-field breakdown (~874,770 without email, ~125,224 with valid email). DWK assesses the dataset as 'likely authentic with strong internal consistency' and the breach as 'credible and high-impact,' while noting that full forensic confirmation of system origin remains ongoing (May 3, 2026).Accessed: May 3, 2026