SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Database Leak
CriticalResolved

Two educational institutions in San Fernando, La Union

The name of this institution has been withheld pending verification of the source. This entry is based on an unconfirmed report.

Nullsec Philippines breached two private colleges in San Fernando, La Union by compromising their shared hosting account. Beyond defacing both websites, the attackers exfiltrated the full school database — over 16 CSV tables containing student payments, enrollment records, tuition fees, user accounts with plaintext passwords, and teacher evaluations.

March 29, 2026Unknown records affected

Key Facts

Date of Incident
March 29, 2026
Date Discovered
March 29, 2026
Records Affected
Unknown
Source
Nullsec Philippines (Facebook)
Data Types Exposed
Website contentPersonal dataStudent documentsStudent academic recordsResumesStudent payment recordsTuition and fee recordsEnrollment recordsStudent discountsUser accounts with passwordsEmail addressesTeacher evaluation recordsLibrary borrower recordsVirtual meeting recordsSubject offeringsDepartment records
Response / Action Taken

As of April 13, 2026, School A's website has been restored and appears to be functioning normally. School B's website has been restored but all images are missing, suggesting an incomplete recovery. The full database dumps remain in circulation. Neither institution has issued a public statement regarding the breach.

What Happened

On March 29, 2026, the threat actor group Nullsec Philippines breached two private colleges in San Fernando, La Union. Both institutions were hosted on the same shared hosting account, and the attacker compromised the hosting control panel to deface both sites and exfiltrate their databases.

Both defacement pages remain live as of March 30, 2026, independently confirming the breach:

  • School A — defacement page reading "PAWNED BY NULLSEC PHILIPPINES — Nostra & friends"
  • School B — defacement page reading "HACKED BY NULLSEC PHILIPPINES" with a message in Filipino: "Kinuha nila ang pera para sa liwanag pero iniwan sa dilim ang proteksyon. Habang nagdiriwang ang mga kurap, ang taong bayan ang nagdurusa." (They took the money for light but left protection in the dark. While the corrupt celebrate, the people suffer.) The page included the hashtag #PUNISH THE INJUSTICE#.

Full Database Exfiltration

Beyond the website defacement, the attackers exfiltrated the school's entire database. The leaked data consists of over 16 CSV files dumped from a shared hosting database (username pattern `u294708982_c...`), including:

TableDescriptionSize
tbsubjs_enrolled.csvStudent enrollment records13.32 MB
tblstud_payments.csvStudent payment records3.89 MB
tblstud_miscfees.csvStudent miscellaneous fees3.81 MB
tblsubj_offered.csvSubject offerings1.25 MB
tblchedlist_temp.csvCHED checklist data1.17 KB
tblstud_discounts.csvStudent discount records157.43 KB
tblmisc_fees.csvMiscellaneous fee schedules51.72 KB
tbltuition_fees.csvTuition fee schedules11.89 KB
tblvirtualmeet.csvVirtual meeting records21.38 KB
tbsubjs_adddrop.csvSubject add/drop records602 B
tbldept.csvDepartment records317 B
tblother_fees.csvOther fee records55 B
teachers_eval_sub.csvTeacher evaluation submissions244 B
teachers_eval_title.csvTeacher evaluation titles—
tblborrcheckout.csvLibrary borrower checkout236 B
tblborrlogs.csvLibrary borrower logs207 B

The largest files — enrolled subjects (13.32 MB) and student payments (3.89 MB) — suggest thousands of student records spanning multiple academic terms.

User Accounts with Passwords Exposed

A separate dataset reveals the school's internal user account table, containing:

  • Full names of administrators, registrars, cashiers, and other staff
  • Usernames and passwords — many appearing to be in plaintext or weakly encoded
  • Email addresses (both internal and personal)
  • Role assignments — administrator, registrar, cashier, and other roles
  • Account status — active/inactive flags
  • Employee/student ID numbers

This is the most critical component of the leak: credential exposure means attackers (or anyone who obtains the dump) could access any system where staff reuse these passwords.

What Was Compromised

The breach goes well beyond simple website defacement:

  • Website defacement — both schools' websites were replaced with defacement banners that remain live
  • Full database exfiltration — 16+ database tables were dumped, covering the school's entire student information system
  • Student financial records — payment history, tuition fees, discounts, and miscellaneous charges
  • Academic records — enrollment data, subject offerings, add/drop records, and CHED checklist data
  • Staff credentials — user accounts with passwords, emails, and administrative roles
  • Teacher evaluations — evaluation records and titles
  • File manager access — the attacker had full access to the hosting file manager, exposing the directory structure of all sites on the shared account
  • Personal data exposure — a resume was leaked containing a full name, date of birth, home address, contact number, email address, parents' names, religion, and other personal details
  • Student document repository — the file manager screenshots show dozens of student files spanning 2024–2026, including research papers, informatics assignments, images, and other academic documents
  • Student academic records — a student activity sheet from School B's College of Criminal Justice Education was leaked, containing a student's name, instructor name, course section, and academic work

Shared Hosting as Attack Vector

The file manager screenshots reveal three domains hosted on the same account:

  1. 1.School A's domain
  2. 2.School B's domain
  3. 3.A third unrelated domain (systemsglory.org)

The database username `u294708982_c...` follows the naming convention of shared hosting providers, confirming that both schools' websites and databases were hosted on the same shared account. Compromising one hosting account gave the attacker access to all three domains, their files, and their databases. This is a textbook example of the risks of shared hosting without proper isolation.

Attacker

Nullsec Philippines operates under the banner "Nostra & friends." The defacement pages included greetz to: Lei$, N0STR4, Astria, Xf1ltr4t0r, zane0days, 1nv4d3r, AstralX99, Wiz, B00tz, Lost32x, r3dh0t:~$, Klyntar, 0xTerror, 0xSeve, Ch4nc3ll0rx.1337, x10n, and ChancellorX1337. The group also sent greetz to Anonymous Philippines, Lulzsec Pilipinas, and Pinoy Vendetta. The group maintains a Facebook page and a Telegram channel (t.me/nullsechackers).

Why This Breach Matters

  • Independently confirmed — both defacements are still live and verifiable; database dumps corroborate deep access
  • Full database compromise — this is not just a defacement; the attackers obtained the complete student information system database
  • Credentials exposed — staff passwords in plaintext enable credential-stuffing attacks across other systems
  • Student financial data — payment records and fee schedules expose sensitive financial information for potentially thousands of students
  • Shared hosting risk — one compromised account exposed multiple institutions' websites and databases simultaneously
  • Ongoing exposure — database dumps remain in circulation

Resolution

As of April 13, 2026, both institutional websites have been restored. School A appears to be fully functional. School B has been restored but all images are missing, suggesting an incomplete recovery — possibly due to the file manager compromise wiping or corrupting the media directory. Neither institution has issued a public statement regarding the breach, and the exfiltrated database dumps remain in circulation.

The defacement of School B was independently indexed by Zone-Xsec (a defacement mirror/archive) and picked up by cybersecurity feed accounts on X, providing external confirmation beyond the threat actor's own claims. No major news coverage of the breach has been found.

How to Prevent This

  1. 1.Avoid shared hosting for educational institutions — use isolated hosting environments so a single breach cannot cascade across multiple schools
  2. 2.Never store passwords in plaintext — use strong, salted hashing algorithms (bcrypt, Argon2) for all credential storage
  3. 3.Separate database credentials per application — each site on shared hosting should use its own database user with minimal privileges
  4. 4.Keep CMS and server software updated — patch known vulnerabilities promptly
  5. 5.Use a Web Application Firewall (WAF) — to detect and block common defacement and injection attacks
  6. 6.Enforce strong authentication — require MFA for all hosting, admin, and backend access
  7. 7.Encrypt sensitive data at rest — student financial records and PII should be encrypted in the database
  8. 8.Store personal documents securely — resumes, student records, and academic files should not be stored in publicly-accessible web directories
  9. 9.Monitor file integrity — deploy tools that alert on unauthorized changes to website files
San FernandoLa UnionIlocos Regiondatabase leakwebsite defacementNullsecPhilippinespersonal datastudent recordsstudent paymentscredentialsplaintext passwordsshared hostingfile manager2026coordinated attack

Related Incidents

Critical

A private medical college in Cebu City

June 24, 2026

Critical

A state university in Mindanao

May 10, 2026

Critical

DepEd Training Platform (training.deped.gov.ph)

May 3, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources