SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Database Leak
CriticalUnconfirmed

Multiple Philippine Schools (LMS Platform Breach)

The name of this institution has been withheld pending verification of the source. This entry is based on an unconfirmed report.

A threat actor posted a database for sale allegedly containing 132,037 student records, 14,145 teacher records, and administrator credentials from a shared LMS platform used by multiple Philippine schools. This claim is based on a single unverified source and the breach remains unconfirmed — the named institutions have not been independently verified as affected.

August 1, 2025146,000+ records affected

Key Facts

Date of Incident
August 1, 2025
Date Discovered
August 1, 2025
Records Affected
146,000+
Source
Deep Web Konek
Data Types Exposed
Personal email addressesCourse informationStudent numbersBirth datesPasswords (unhashed)Administrator names
Response / Action Taken

No institutions have issued public statements regarding the claim. Breach remains unconfirmed.

Single-source notice: This incident is based solely on a threat actor's unverified claim reported by one cybersecurity monitoring group. No affected institution has confirmed the breach, and no independent source has corroborated the claim. School names from the original listing have been redacted until the breach can be independently verified.

What Happened

Philippine cybersecurity monitoring group Deep Web Konek (DWK) reported that a threat actor using the alias "AFish" posted a database for sale on a cybercrime forum. The database allegedly contains records from a Learning Management System (LMS) used by multiple Philippine educational institutions.

The seller offered the data for $60 USD in Monero (XMR) cryptocurrency, restricted to a single buyer. The listing also claimed to include "specialized tools and a guide for anonymity and spying" bundled with the database.

Schools Allegedly Affected

The threat actor's listing named several Philippine educational institutions. Because this claim has not been independently verified, school names have been redacted. The listing referenced at least five named schools plus additional unnamed institutions.

Data Exposed

The alleged database contains:

  • 132,037 student records — including personal email addresses, course information, student numbers, and birth dates
  • 14,145 teacher records — with similar personal data
  • 41 school administrator records — names and credentials
  • 4 website administrator records — names and credentials
  • Passwords stored without hashing — the seller specifically claimed the passwords are "non-hashed," meaning they are stored in plain text

Why This Breach Is Critical

This breach is particularly dangerous for several reasons:

  • Plain-text passwords — if passwords are truly unhashed, every student and teacher account is immediately compromised. Users who reuse these passwords on other services (email, banking, social media) face cascading account takeovers
  • Shared platform vulnerability — a single vulnerability in the LMS platform exposed data across multiple schools simultaneously, demonstrating the risks of shared educational technology platforms
  • Birth dates plus email addresses — this combination is commonly used for identity verification, making affected students vulnerable to identity theft
  • Administrator credentials — compromised admin accounts could allow further access to school systems, grade manipulation, or deployment of additional malware

How This Attack Likely Works

The breach of a shared LMS platform typically occurs through:

  • SQL injection — exploiting vulnerabilities in the LMS web application to extract the entire database
  • Compromised admin credentials — gaining access to the LMS admin panel through phishing or credential stuffing, then exporting all user data
  • Unpatched LMS software — many schools run outdated versions of LMS platforms (Moodle, Canvas, custom systems) with known vulnerabilities
  • Shared hosting vulnerabilities — if multiple schools share the same LMS instance, compromising one entry point exposes all schools' data

How to Prevent This

  1. 1.Never store passwords in plain text — use strong hashing algorithms like bcrypt, scrypt, or Argon2. This is the most critical finding — plain-text password storage is an emergency-level security flaw
  2. 2.Audit your LMS vendor's security practices — ask vendors whether they hash passwords, conduct penetration testing, and maintain SOC 2 compliance before signing contracts
  3. 3.Keep LMS platforms updated — apply security patches immediately. If using Moodle, Canvas, or similar platforms, subscribe to their security advisories
  4. 4.Implement multi-factor authentication (MFA) — even if passwords are compromised, MFA prevents unauthorized login
  5. 5.Use unique credentials per platform — educate students and staff to never reuse passwords across services. Recommend password managers
  6. 6.Isolate school data in shared platforms — if using a multi-tenant LMS, ensure proper data isolation so one school's breach does not expose all schools
  7. 7.Monitor dark web forums — subscribe to threat intelligence services that monitor cybercrime forums for your institution's data

Sources & References

All sources are independently verified. Access dates and archive links are recorded for each citation.

  1. [1]
    Deep Web Konek — Philippine educational institutions' LMS allegedly breached, data for sale on dark web — threat actor 'AFish', unverified claim
LMSmultiple schoolsplain-text passwordsDeep Web Konekunverified

Related Incidents

High

A private college in Davao City

March 3, 2026

High

University of the Philippines Tacloban (UP Tacloban)

October 1, 2025

High

A state university in Metro Manila

July 4, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources