What Happened
On January 12, 2026, the threat actor group Storm Breaker Security PH posted on their Facebook page claiming to have breached the database of a private college in Cavite. The post was addressed directly to the institution's administrators: "Dear Admin of [redacted], your database has been leaked. What steps will you take to further secure your website to prevent it from being accessed by hackers."
The post included a Mediafire link to a file titled "College-Databases-Leak.txt" containing the dumped database contents.
How the Attack Was Carried Out
Screenshots show the attacker exploiting a classic SQL injection vulnerability in the college's website. The URL visible in the screenshot shows a `officesView.php?id=1%27` parameter — the `%27` is a URL-encoded single quote (`'`), a hallmark of SQL injection testing. This indicates the web application failed to sanitize user input in URL query parameters, allowing the attacker to extract the underlying database.
What Was Compromised
The leaked database schema reveals the following tables and columns:
- tbl_faculty — faculty_no, Employee_No, Employee_Name, Department, Picture
- tbl_facility — fcl_id, fcl_name, fcl_desc, fcl_photo
- tbl_organization — org_id, org_name, org_desc, org_mod, org_img
- tbl_cluster — cluster_id, cluster_name
- tbl_dept — dept_id, dept_name
- tbl_building — building_name, office_name, contact_person, designation
The faculty table is the most sensitive, containing employee identification numbers and full names linked to departments — information that could be used for identity fraud or social engineering.
Attacker
Storm Breaker Security PH listed team members as: Ph.Error, Assa, Ph.Bl4ke, Sig04i, Ph.Madac, and Vindrax. The post included special greetings to Black Bytes, Pinoy XploitSec, xBL4z3R-Sec PH, and Anonymous San Mateo, and was addressed to "all of the anonymous hacker in the Philippines."
Why This Breach Matters
- SQL injection in 2026 — this is one of the oldest and most well-documented web vulnerabilities (OWASP Top 10), yet educational institutions continue to be compromised by it
- Faculty PII exposed — employee numbers, names, and department assignments can enable targeted phishing and identity fraud
- Public database dump — the full database was made available for download on Mediafire, meaning anyone could access it
- Pattern of targeting — Storm Breaker Security PH has conducted multiple attacks against Philippine educational institutions in early 2026
How to Prevent This
- 1.Use parameterized queries / prepared statements — never concatenate user input directly into SQL queries
- 2.Implement input validation — sanitize and validate all URL parameters and form inputs
- 3.Deploy a Web Application Firewall (WAF) — to detect and block SQL injection attempts
- 4.Conduct regular security audits — test web applications for OWASP Top 10 vulnerabilities
- 5.Apply the principle of least privilege — database accounts used by the web application should have minimal permissions
- 6.Encrypt sensitive data at rest — so that even if a database is dumped, PII is not immediately readable
Resolution
As of April 2026, the underlying SQL injection vulnerability appears to have been addressed. The institution has not issued any public acknowledgement of the breach, and no media coverage of the incident has been found.