SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Data Exposure
CriticalResolved

A public college in Batangas City

The name of this institution has been withheld pending verification of the source. This entry is based on an unconfirmed report.

Threat actor '4rch4n63l' from NullsecPhilippines exfiltrated 685,318 records from a public college in Batangas City across two files (profile.json and users.json). Student account passwords were stored and exposed in plain text. The school name has been withheld as the incident was sourced solely from the threat actor's post with no independent confirmation.

March 4, 2026685,318 records affected

Key Facts

Date of Incident
March 4, 2026
Date Discovered
March 4, 2026
Records Affected
685,318
2 files: profile.json (513,002 records), users.json (172,316 records) total
Source
NullSec Philippines (Facebook)
Data Types Exposed
Student PIIStudent profilesAdmission recordsRegistration recordsPlaintext passwords
Response / Action Taken

The portal vulnerability appears to have been remediated following public disclosure. No official statement from the institution or NPC notification confirmed as of the date of this report.

What Happened

On March 4, 2026, a threat actor operating under the handle 4rch4n63l, associated with #NullsecPhilippines, posted on Facebook addressed directly to a public college in Batangas City. The post stated: "We are currently holding atleast 600K lines of Student PII. It came from your Admission and Registration Portals with stupid security. everything is messed up, your developer put the users file publicly including the profiles."

The post threatened to publicly leak the data if security issues were not resolved within one week, and credited Yasuo as a collaborator: "also thanks to Yasuo for helping me expose this."

The files were not obtained through a sophisticated hack — the developer had left the user data files (including the profiles and credentials) publicly accessible with no authentication, allowing anyone to download them directly.

What Was Exposed

The exfiltrated data consists of two files totalling 685,318 records:

FileRecords
profile.json513,002
users.json172,316
Total685,318

This exceeds the threat actor's initial "600,000+" claim. Sample records confirm the following fields:

profile.json — student profiles:

  • Student ID and student number
  • Full name (first, middle, last, maiden name, extension)
  • Date of birth and age
  • Place of birth
  • Gender and civil status
  • Contact details (mobile number, email address, telephone)
  • Religion, citizenship, and nationality
  • Parent/guardian information

users.json — account credentials:

  • Plaintext (unencrypted) passwords — account passwords stored and exposed with no hashing whatsoever

The inclusion of plaintext passwords in users.json is a critical compounding factor. Beyond the privacy violation of the profile data, affected students face direct account compromise risk on any other service where they reused the same password.

Current Status

The vulnerability appears to have been remediated. The portal was allegedly secured following the threat actor's public disclosure. However, it is unknown whether the institution has formally notified the National Privacy Commission (NPC) as required under the Data Privacy Act.

How This Type of Attack Works

Based on the threat actor's description, this appears to be a misconfiguration / data exposure incident rather than a sophisticated hack. The attacker claimed that user files and profiles were publicly accessible — suggesting that file directories or API endpoints on the admission and registration portals lacked proper authentication or access controls.

Common causes of this type of exposure include:

  • Directory listing enabled on web servers, allowing anyone to browse uploaded files
  • No authentication on file storage paths or API endpoints
  • Predictable file URLs that allow enumeration of student documents
  • Misconfigured cloud storage (e.g., public S3 buckets or Firebase Storage rules)

Plaintext Password Storage

The leaked sample data reveals that the admission portal stored user passwords in plain text — meaning passwords were saved to the database exactly as users typed them, with no hashing or encryption applied.

This is a fundamental security failure. Proper password storage requires a one-way hashing algorithm (such as bcrypt, scrypt, or Argon2) so that even if the database is accessed, passwords cannot be recovered. With plaintext storage:

  • Anyone with database access (including the attacker) can read every user's password directly
  • Affected students who reuse passwords on other services (email, social media, banking) are at immediate risk of account takeover
  • There is no way to "un-expose" the passwords — they must be treated as permanently compromised

Recommended Actions for the Institution

  1. 1.Force password resets for all affected accounts immediately
  2. 2.Migrate to hashed password storage using bcrypt, scrypt, or Argon2 — never store passwords in plain text
  3. 3.Notify affected students of the plaintext password exposure and advise them to change passwords on any other accounts where they used the same password
  4. 4.Notify the NPC as required by the Data Privacy Act of 2012 — even if the portal has been secured, the prior exposure of 685,318 records with plaintext passwords is a notifiable breach
  5. 5.Conduct a full security audit of all web-facing portals
  6. 6.Disable public directory listing and implement proper authentication on all endpoints

Context

This incident involves a local public college in Batangas City, CALABARZON. As a public educational institution handling thousands of student records including minors' data, it is subject to the Data Privacy Act of 2012 and NPC oversight. The school name has been withheld pending independent confirmation outside of the threat actor's post.

This incident highlights the ongoing risk of misconfigured web portals in Philippine educational institutions — a pattern seen in multiple previous breaches tracked on this site, including the DepEd OVAP database exposure and various university portal breaches.

Sources & References

All sources are independently verified. Access dates and archive links are recorded for each citation.

  1. [1]
    4rch4n63l original threat post (Facebook) — Original Facebook post by threat actor '4rch4n63l' on March 4, 2026, threatening to leak 600K+ lines of student PII from a public college in Batangas City if the misconfiguration was not fixed within one week. Credits Yasuo (#NullsecPhilippines) as collaborator.
  2. [2]
    Sample data leak showing plaintext passwords (Facebook) — Facebook post containing sample leaked records from the Batangas City portal breach, confirming that student passwords were stored and exposed in plain text
BatangasCALABARZONNullsecPhilippines4rch4n63lYasuoadmission portalregistration portaldata exposurestudent PIIplaintext passwordspassword storage

Related Incidents

High

A Catholic K-12 institution in San Juan, Batangas

May 1, 2026

High

A private school in Rosario, Batangas

April 28, 2026

High

A Christian school in Imus City, Cavite

May 1, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources