Back to Breach Tracker
Unauthorized Access
HighResolved

Far Eastern University (FEU)

Hacker group Pinoy Grayhats breached FEU's student portal and leaked personal data of at least 1,000 students, including names, student numbers, passwords, and mobile numbers. The group claimed to have warned FEU about vulnerabilities beforehand.

June 16, 2020Manila, NCR1,000+ records affected

Key Facts

Date of Incident
June 16, 2020
Date Discovered
June 16, 2020
Records Affected
1,000+
Source
Rappler
Data Types Exposed
Student namesStudent numbersPasswordsCourse informationMobile numbers
Response / Action Taken

Student portal taken offline. External cybersecurity provider engaged. NPC notified. Students told to reset passwords.

What Happened

On June 16, 2020, at 11:27 PM, a member of the hacker group "Pinoy Grayhats" leaked private data of at least 1,000 FEU students on Facebook. The group's members, using the aliases "InFamouz" and "Alita," had previously warned FEU about security vulnerabilities in their student portal, but claimed the university took no action.

FEU confirmed the intrusion on June 18, 2020, and temporarily took the student portal offline to investigate.

Data Exposed

  • Full student names
  • Student numbers
  • Account passwords
  • Course and program information
  • Mobile phone numbers

How This Attack Works

The Pinoy Grayhats group exploited web application vulnerabilities in FEU's Manila Student Portal. Common vulnerabilities in student portals include SQL injection (inserting malicious database queries through login forms), broken authentication (weak session management), and insecure direct object references (accessing other users' data by changing URL parameters).

The fact that passwords were leaked in plain text indicates the portal was storing passwords without hashing — a critical security flaw that means anyone with database access can read every user's password directly.

The group noted that they had attempted responsible disclosure prior to the leak — warning the university about the risky security of the site — but FEU reportedly did not act on the warnings.

Broader Context

FEU was one of over 20 Philippine schools hacked in June 2020 alone. The wave of school hacking incidents coincided with the transition to online education during the COVID-19 pandemic, exposing how unprepared many Philippine schools were for digital security.

Response

FEU called on all students to immediately reset their passwords. The university tapped an external cybersecurity provider to assist with the investigation and informed the National Privacy Commission (NPC) of the breach.

How to Prevent This

  1. 1.Never store passwords in plain text — use strong hashing algorithms like bcrypt, scrypt, or Argon2. If your student portal stores plain-text passwords, this is an emergency-level issue
  2. 2.Conduct penetration testing before deployment — hire a security firm to test your student portal for SQL injection, XSS, broken authentication, and IDOR vulnerabilities before going live
  3. 3.Implement a responsible disclosure policy — create a security@school.edu.ph email and a public vulnerability reporting page so researchers can report issues before they escalate
  4. 4.Use parameterized queries — this prevents SQL injection, the most common web attack vector against database-backed applications
  5. 5.Enforce multi-factor authentication (MFA) — even if passwords are compromised, MFA prevents unauthorized login
  6. 6.Implement rate limiting and account lockout — prevent brute-force attacks by locking accounts after repeated failed login attempts
  7. 7.Use HTTPS everywhere — encrypt all traffic between the student's browser and the portal to prevent credential interception

Sources & References

  1. [1]
    Rappler FEU investigating possible hack, exposure of student data (June 17, 2020)
  2. [2]
    Manila Bulletin FEU website hacked (June 17, 2020)
  3. [3]
    Manila Bulletin FEU calls on students to reset passwords; hacking of portal probed
  4. [4]
    DataBreaches.net PH: The Far Eastern University portal hacked
  5. [5]
    GitHub (ajdumanhug/gothacked) Registry of Philippine school hacking incidents — FEU listed June 17, 2020 by Pinoy Grayhats
FEUstudent portalPinoy GrayhatsManilaCOVID-19 online learning