Single-source notice: This incident is based on a single public post by a self-identified threat actor, discussed on social media but not corroborated by any news outlet, third-party researcher, or official statement from the institution. No sample data has been independently reviewed, and the claim remains unverified. The school's name has been redacted pending verification.
What Happened
On March 3, 2026, a Facebook post authored by an actor using the alias "Alexandria" claimed to have compromised the servers, applications, and Blackboard Learn LMS of a private college in Davao City. The post frames the action as work carried out on behalf of an unnamed group of students from the institution who allegedly engaged Alexandria to assist with a dispute with the school's administration.
The claim has since been discussed in a Reddit thread within a community associated with the institution, which references the original Facebook post. No mainstream news outlet has reported on the incident at the time of writing.
What Alexandria Claims
According to the Facebook post, Alexandria alleges it has:
- Full administrator access to the institution's servers and applications
- Compromise of multiple internal and external platforms used by the institution
- Access to a server that permits bypass of the institution's two-factor authentication — described as "access codes" designed as a second factor
- Administrator-level access to the institution's Blackboard Learn LMS, including access codes
- Student and faculty personally identifiable information in its possession
- Persistence on institutional systems — claiming that attempts to revoke access would be difficult
- Verified absence of LMS backups — claiming it has confirmed that no recoverable backups exist if Blackboard data were deleted
Alexandria also stated it would not take destructive action "for one month" and would reassess the situation if the student group re-engaged. It claimed it would not leak further data beyond what was already shown in screenshots "unless it has to."
What the Screenshots Appear to Show
Screenshots accompanying the post, if authentic, depict:
- The Blackboard Learn Ultra administrator panel at a subdomain on `blackboard.com` associated with the institution, showing system information including the current Blackboard Learn release version and theme identifier
- A user directory view listing usernames, first and last names, email column headers, availability and enable flags, and role/affiliation identifiers including "Instructor," "Faculty - CAS," "Applied Sciences Consultant," and college/department codes
- A terms (academic calendar) management view showing configured academic years including A.Y. 2025–2026 trimesters and an A.Y. 2026–2027 1st Term, with course-count figures ranging from the tens to over 1,900 per term
The presence of the A.Y. 2026–2027 term configuration is consistent with the screenshots having been captured recently — the current academic planning horizon at the time of the post.
What Is Not Known
- The authenticity of the screenshots has not been independently validated. Blackboard admin screens are visually distinctive and can be reproduced from other tenants or mocked, so screenshots alone do not prove compromise.
- The scope and volume of exfiltrated data, if any, is not specified beyond general references to "tons of data."
- The initial access vector is not described. The claimed ability to "bypass access codes designed as a two-factor authentication" suggests the actor may be referring to a compromise of whatever service issues or validates those codes — but this is not detailed.
- Whether any student group actually engaged Alexandria is unverified — the narrative of student clients is asserted only by the actor.
- The institution has not issued a public statement as of the date of this entry.
Why This Claim Warrants Attention
Independent of verification, several elements of the claim merit institutional response:
- Specific platform naming — the post names Blackboard Learn and references the institution's 2FA/"access codes" by function rather than generically, suggesting at minimum that the actor is familiar with the institution's technology stack
- Consistent screenshot artifacts — the screenshots depict a plausible Blackboard Ultra admin UI with tenant-specific branding and current term configuration
- Destructive capability asserted — unlike data-sale posts, this claim emphasizes the ability to disrupt operations, which, if credible, represents availability risk in addition to confidentiality risk
- Asserted persistence — the claim that access cannot easily be revoked would, if true, require a more thorough incident-response process than a simple password reset
Recommended Actions for the Institution
- 1.Treat the claim as a live incident until disproven — convene an incident response team, preserve logs, and engage legal and NPC-reporting counsel
- 2.Audit Blackboard Learn administrator activity — review admin sign-ins, user-management actions, and bulk exports for the past 30–90 days and correlate against known-good admin activity
- 3.Rotate administrator credentials and enforce MFA re-enrollment — invalidate existing sessions for all privileged Blackboard and institutional accounts
- 4.Investigate the 2FA/"access codes" bypass claim directly — identify the service that issues or validates second-factor codes and audit its access logs, admin accounts, and recent configuration changes
- 5.Verify backup integrity — confirm whether recoverable Blackboard Learn backups exist (institutional, vendor-managed, or both) and remediate any gaps immediately; do not rely on the actor's assertion
- 6.Hunt for persistence mechanisms — look for unauthorized admin accounts, OAuth grants, API keys, scheduled tasks, or SSO trusts that could survive credential rotation
- 7.Notify the National Privacy Commission (NPC) within 72 hours if any personal data exposure is confirmed, as required by the Data Privacy Act of 2012 (RA 10173)
- 8.Prepare communications for students, parents, faculty, and staff — pre-draft notifications so they can be issued promptly if the breach is confirmed
- 9.Preserve evidence — archive the Facebook post, the Reddit discussion thread, and all referenced screenshots, and preserve server-side logs before retention windows expire
How to Prevent This Pattern
- 1.Strict separation between 2FA issuance and other administrative systems — the service that issues second-factor codes must not be compromisable through a general administrator account
- 2.Enforce phishing-resistant MFA on all administrative accounts (hardware security keys or platform authenticators rather than one-time codes where feasible)
- 3.Maintain independent, tested backups of LMS and student-records data — including offline or immutable copies not reachable from production administrator credentials
- 4.Audit administrator accounts regularly and remove dormant or unnecessary privileged access
- 5.Monitor for anomalous bulk exports, mass user changes, or admin activity from unusual locations or times
- 6.Engage vendor incident-response channels proactively — Blackboard (Anthology) and other SaaS providers offer breach-response support that many institutions underuse
- 7.Publish an authoritative security contact and disclosure policy so researchers and concerned parties have a channel that is not a public Facebook post