What Happened
On March 29, 2026, the threat actor group Nullsec Philippines breached two private colleges in San Fernando, La Union. Both institutions were hosted on the same shared hosting account, and the attacker compromised the hosting control panel to deface both sites and exfiltrate their databases.
Both defacement pages remain live as of March 30, 2026, independently confirming the breach:
- School A — defacement page reading "PAWNED BY NULLSEC PHILIPPINES — Nostra & friends"
- School B — defacement page reading "HACKED BY NULLSEC PHILIPPINES" with a message in Filipino: "Kinuha nila ang pera para sa liwanag pero iniwan sa dilim ang proteksyon. Habang nagdiriwang ang mga kurap, ang taong bayan ang nagdurusa." (They took the money for light but left protection in the dark. While the corrupt celebrate, the people suffer.) The page included the hashtag #PUNISH THE INJUSTICE#.
Full Database Exfiltration
Beyond the website defacement, the attackers exfiltrated the school's entire database. The leaked data consists of over 16 CSV files dumped from a shared hosting database (username pattern `u294708982_c...`), including:
| Table | Description | Size |
|---|---|---|
| tbsubjs_enrolled.csv | Student enrollment records | 13.32 MB |
| tblstud_payments.csv | Student payment records | 3.89 MB |
| tblstud_miscfees.csv | Student miscellaneous fees | 3.81 MB |
| tblsubj_offered.csv | Subject offerings | 1.25 MB |
| tblchedlist_temp.csv | CHED checklist data | 1.17 KB |
| tblstud_discounts.csv | Student discount records | 157.43 KB |
| tblmisc_fees.csv | Miscellaneous fee schedules | 51.72 KB |
| tbltuition_fees.csv | Tuition fee schedules | 11.89 KB |
| tblvirtualmeet.csv | Virtual meeting records | 21.38 KB |
| tbsubjs_adddrop.csv | Subject add/drop records | 602 B |
| tbldept.csv | Department records | 317 B |
| tblother_fees.csv | Other fee records | 55 B |
| teachers_eval_sub.csv | Teacher evaluation submissions | 244 B |
| teachers_eval_title.csv | Teacher evaluation titles | — |
| tblborrcheckout.csv | Library borrower checkout | 236 B |
| tblborrlogs.csv | Library borrower logs | 207 B |
The largest files — enrolled subjects (13.32 MB) and student payments (3.89 MB) — suggest thousands of student records spanning multiple academic terms.
User Accounts with Passwords Exposed
A separate dataset reveals the school's internal user account table, containing:
- Full names of administrators, registrars, cashiers, and other staff
- Usernames and passwords — many appearing to be in plaintext or weakly encoded
- Email addresses (both internal and personal)
- Role assignments — administrator, registrar, cashier, and other roles
- Account status — active/inactive flags
- Employee/student ID numbers
This is the most critical component of the leak: credential exposure means attackers (or anyone who obtains the dump) could access any system where staff reuse these passwords.
What Was Compromised
The breach goes well beyond simple website defacement:
- Website defacement — both schools' websites were replaced with defacement banners that remain live
- Full database exfiltration — 16+ database tables were dumped, covering the school's entire student information system
- Student financial records — payment history, tuition fees, discounts, and miscellaneous charges
- Academic records — enrollment data, subject offerings, add/drop records, and CHED checklist data
- Staff credentials — user accounts with passwords, emails, and administrative roles
- Teacher evaluations — evaluation records and titles
- File manager access — the attacker had full access to the hosting file manager, exposing the directory structure of all sites on the shared account
- Personal data exposure — a resume was leaked containing a full name, date of birth, home address, contact number, email address, parents' names, religion, and other personal details
- Student document repository — the file manager screenshots show dozens of student files spanning 2024–2026, including research papers, informatics assignments, images, and other academic documents
- Student academic records — a student activity sheet from School B's College of Criminal Justice Education was leaked, containing a student's name, instructor name, course section, and academic work
Shared Hosting as Attack Vector
The file manager screenshots reveal three domains hosted on the same account:
- 1.School A's domain
- 2.School B's domain
- 3.A third unrelated domain (systemsglory.org)
The database username `u294708982_c...` follows the naming convention of shared hosting providers, confirming that both schools' websites and databases were hosted on the same shared account. Compromising one hosting account gave the attacker access to all three domains, their files, and their databases. This is a textbook example of the risks of shared hosting without proper isolation.
Attacker
Nullsec Philippines operates under the banner "Nostra & friends." The defacement pages included greetz to: Lei$, N0STR4, Astria, Xf1ltr4t0r, zane0days, 1nv4d3r, AstralX99, Wiz, B00tz, Lost32x, r3dh0t:~$, Klyntar, 0xTerror, 0xSeve, Ch4nc3ll0rx.1337, x10n, and ChancellorX1337. The group also sent greetz to Anonymous Philippines, Lulzsec Pilipinas, and Pinoy Vendetta. The group maintains a Facebook page and a Telegram channel (t.me/nullsechackers).
Why This Breach Matters
- Independently confirmed — both defacements are still live and verifiable; database dumps corroborate deep access
- Full database compromise — this is not just a defacement; the attackers obtained the complete student information system database
- Credentials exposed — staff passwords in plaintext enable credential-stuffing attacks across other systems
- Student financial data — payment records and fee schedules expose sensitive financial information for potentially thousands of students
- Shared hosting risk — one compromised account exposed multiple institutions' websites and databases simultaneously
- Ongoing exposure — database dumps remain in circulation
Resolution
As of April 13, 2026, both institutional websites have been restored. School A appears to be fully functional. School B has been restored but all images are missing, suggesting an incomplete recovery — possibly due to the file manager compromise wiping or corrupting the media directory. Neither institution has issued a public statement regarding the breach, and the exfiltrated database dumps remain in circulation.
The defacement of School B was independently indexed by Zone-Xsec (a defacement mirror/archive) and picked up by cybersecurity feed accounts on X, providing external confirmation beyond the threat actor's own claims. No major news coverage of the breach has been found.
How to Prevent This
- 1.Avoid shared hosting for educational institutions — use isolated hosting environments so a single breach cannot cascade across multiple schools
- 2.Never store passwords in plaintext — use strong, salted hashing algorithms (bcrypt, Argon2) for all credential storage
- 3.Separate database credentials per application — each site on shared hosting should use its own database user with minimal privileges
- 4.Keep CMS and server software updated — patch known vulnerabilities promptly
- 5.Use a Web Application Firewall (WAF) — to detect and block common defacement and injection attacks
- 6.Enforce strong authentication — require MFA for all hosting, admin, and backend access
- 7.Encrypt sensitive data at rest — student financial records and PII should be encrypted in the database
- 8.Store personal documents securely — resumes, student records, and academic files should not be stored in publicly-accessible web directories
- 9.Monitor file integrity — deploy tools that alert on unauthorized changes to website files