What Happened
On March 4, 2026, a threat actor operating under the handle 4rch4n63l, associated with #NullsecPhilippines, posted on Facebook addressed directly to a public college in Batangas City. The post stated: "We are currently holding atleast 600K lines of Student PII. It came from your Admission and Registration Portals with stupid security. everything is messed up, your developer put the users file publicly including the profiles."
The post threatened to publicly leak the data if security issues were not resolved within one week, and credited Yasuo as a collaborator: "also thanks to Yasuo for helping me expose this."
The files were not obtained through a sophisticated hack — the developer had left the user data files (including the profiles and credentials) publicly accessible with no authentication, allowing anyone to download them directly.
What Was Exposed
The exfiltrated data consists of two files totalling 685,318 records:
| File | Records |
|---|---|
| profile.json | 513,002 |
| users.json | 172,316 |
| Total | 685,318 |
This exceeds the threat actor's initial "600,000+" claim. Sample records confirm the following fields:
profile.json — student profiles:
- Student ID and student number
- Full name (first, middle, last, maiden name, extension)
- Date of birth and age
- Place of birth
- Gender and civil status
- Contact details (mobile number, email address, telephone)
- Religion, citizenship, and nationality
- Parent/guardian information
users.json — account credentials:
- Plaintext (unencrypted) passwords — account passwords stored and exposed with no hashing whatsoever
The inclusion of plaintext passwords in users.json is a critical compounding factor. Beyond the privacy violation of the profile data, affected students face direct account compromise risk on any other service where they reused the same password.
Current Status
The vulnerability appears to have been remediated. The portal was allegedly secured following the threat actor's public disclosure. However, it is unknown whether the institution has formally notified the National Privacy Commission (NPC) as required under the Data Privacy Act.
How This Type of Attack Works
Based on the threat actor's description, this appears to be a misconfiguration / data exposure incident rather than a sophisticated hack. The attacker claimed that user files and profiles were publicly accessible — suggesting that file directories or API endpoints on the admission and registration portals lacked proper authentication or access controls.
Common causes of this type of exposure include:
- Directory listing enabled on web servers, allowing anyone to browse uploaded files
- No authentication on file storage paths or API endpoints
- Predictable file URLs that allow enumeration of student documents
- Misconfigured cloud storage (e.g., public S3 buckets or Firebase Storage rules)
Plaintext Password Storage
The leaked sample data reveals that the admission portal stored user passwords in plain text — meaning passwords were saved to the database exactly as users typed them, with no hashing or encryption applied.
This is a fundamental security failure. Proper password storage requires a one-way hashing algorithm (such as bcrypt, scrypt, or Argon2) so that even if the database is accessed, passwords cannot be recovered. With plaintext storage:
- Anyone with database access (including the attacker) can read every user's password directly
- Affected students who reuse passwords on other services (email, social media, banking) are at immediate risk of account takeover
- There is no way to "un-expose" the passwords — they must be treated as permanently compromised
Recommended Actions for the Institution
- 1.Force password resets for all affected accounts immediately
- 2.Migrate to hashed password storage using bcrypt, scrypt, or Argon2 — never store passwords in plain text
- 3.Notify affected students of the plaintext password exposure and advise them to change passwords on any other accounts where they used the same password
- 4.Notify the NPC as required by the Data Privacy Act of 2012 — even if the portal has been secured, the prior exposure of 685,318 records with plaintext passwords is a notifiable breach
- 5.Conduct a full security audit of all web-facing portals
- 6.Disable public directory listing and implement proper authentication on all endpoints
Context
This incident involves a local public college in Batangas City, CALABARZON. As a public educational institution handling thousands of student records including minors' data, it is subject to the Data Privacy Act of 2012 and NPC oversight. The school name has been withheld pending independent confirmation outside of the threat actor's post.
This incident highlights the ongoing risk of misconfigured web portals in Philippine educational institutions — a pattern seen in multiple previous breaches tracked on this site, including the DepEd OVAP database exposure and various university portal breaches.
Sources & References
All sources are independently verified. Access dates and archive links are recorded for each citation.
- [1]4rch4n63l original threat post (Facebook) — Original Facebook post by threat actor '4rch4n63l' on March 4, 2026, threatening to leak 600K+ lines of student PII from a public college in Batangas City if the misconfiguration was not fixed within one week. Credits Yasuo (#NullsecPhilippines) as collaborator.
- [2]Sample data leak showing plaintext passwords (Facebook) — Facebook post containing sample leaked records from the Batangas City portal breach, confirming that student passwords were stored and exposed in plain text