SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Unauthorized Access
HighUnconfirmed

A private college in Davao City

The name of this institution has been withheld pending verification of the source. This entry is based on an unconfirmed report.

A threat actor using the alias "Alexandria" claimed on Facebook to have compromised the servers, applications, and Blackboard Learn LMS of a private college in Davao City. The post alleges full administrator access, the ability to bypass a two-factor authentication mechanism, persistence on internal systems, and the capability to destroy LMS data with no available backups. Screenshots of what appears to be the institution's Blackboard admin panel, user directory, and academic-term configuration were shared as evidence. The institution has not issued a public statement and no independent source has confirmed the claim.

March 3, 2026Unknown records affected

Key Facts

Date of Incident
March 3, 2026
Date Discovered
March 3, 2026
Records Affected
Unknown
Source
Alexandria (Facebook post, discussed on Reddit)
Data Types Exposed
UsernamesFull namesEmail addressesRole and affiliation (faculty, instructor, consultant, staff)Profile photosStudent and faculty account metadataLMS course and term dataAdministrative platform access
Response / Action Taken

No official acknowledgement or public statement from the institution has been found. The claim remains unconfirmed.

Single-source notice: This incident is based on a single public post by a self-identified threat actor, discussed on social media but not corroborated by any news outlet, third-party researcher, or official statement from the institution. No sample data has been independently reviewed, and the claim remains unverified. The school's name has been redacted pending verification.

What Happened

On March 3, 2026, a Facebook post authored by an actor using the alias "Alexandria" claimed to have compromised the servers, applications, and Blackboard Learn LMS of a private college in Davao City. The post frames the action as work carried out on behalf of an unnamed group of students from the institution who allegedly engaged Alexandria to assist with a dispute with the school's administration.

The claim has since been discussed in a Reddit thread within a community associated with the institution, which references the original Facebook post. No mainstream news outlet has reported on the incident at the time of writing.

What Alexandria Claims

According to the Facebook post, Alexandria alleges it has:

  • Full administrator access to the institution's servers and applications
  • Compromise of multiple internal and external platforms used by the institution
  • Access to a server that permits bypass of the institution's two-factor authentication — described as "access codes" designed as a second factor
  • Administrator-level access to the institution's Blackboard Learn LMS, including access codes
  • Student and faculty personally identifiable information in its possession
  • Persistence on institutional systems — claiming that attempts to revoke access would be difficult
  • Verified absence of LMS backups — claiming it has confirmed that no recoverable backups exist if Blackboard data were deleted

Alexandria also stated it would not take destructive action "for one month" and would reassess the situation if the student group re-engaged. It claimed it would not leak further data beyond what was already shown in screenshots "unless it has to."

What the Screenshots Appear to Show

Screenshots accompanying the post, if authentic, depict:

  • The Blackboard Learn Ultra administrator panel at a subdomain on `blackboard.com` associated with the institution, showing system information including the current Blackboard Learn release version and theme identifier
  • A user directory view listing usernames, first and last names, email column headers, availability and enable flags, and role/affiliation identifiers including "Instructor," "Faculty - CAS," "Applied Sciences Consultant," and college/department codes
  • A terms (academic calendar) management view showing configured academic years including A.Y. 2025–2026 trimesters and an A.Y. 2026–2027 1st Term, with course-count figures ranging from the tens to over 1,900 per term

The presence of the A.Y. 2026–2027 term configuration is consistent with the screenshots having been captured recently — the current academic planning horizon at the time of the post.

What Is Not Known

  • The authenticity of the screenshots has not been independently validated. Blackboard admin screens are visually distinctive and can be reproduced from other tenants or mocked, so screenshots alone do not prove compromise.
  • The scope and volume of exfiltrated data, if any, is not specified beyond general references to "tons of data."
  • The initial access vector is not described. The claimed ability to "bypass access codes designed as a two-factor authentication" suggests the actor may be referring to a compromise of whatever service issues or validates those codes — but this is not detailed.
  • Whether any student group actually engaged Alexandria is unverified — the narrative of student clients is asserted only by the actor.
  • The institution has not issued a public statement as of the date of this entry.

Why This Claim Warrants Attention

Independent of verification, several elements of the claim merit institutional response:

  • Specific platform naming — the post names Blackboard Learn and references the institution's 2FA/"access codes" by function rather than generically, suggesting at minimum that the actor is familiar with the institution's technology stack
  • Consistent screenshot artifacts — the screenshots depict a plausible Blackboard Ultra admin UI with tenant-specific branding and current term configuration
  • Destructive capability asserted — unlike data-sale posts, this claim emphasizes the ability to disrupt operations, which, if credible, represents availability risk in addition to confidentiality risk
  • Asserted persistence — the claim that access cannot easily be revoked would, if true, require a more thorough incident-response process than a simple password reset

Recommended Actions for the Institution

  1. 1.Treat the claim as a live incident until disproven — convene an incident response team, preserve logs, and engage legal and NPC-reporting counsel
  2. 2.Audit Blackboard Learn administrator activity — review admin sign-ins, user-management actions, and bulk exports for the past 30–90 days and correlate against known-good admin activity
  3. 3.Rotate administrator credentials and enforce MFA re-enrollment — invalidate existing sessions for all privileged Blackboard and institutional accounts
  4. 4.Investigate the 2FA/"access codes" bypass claim directly — identify the service that issues or validates second-factor codes and audit its access logs, admin accounts, and recent configuration changes
  5. 5.Verify backup integrity — confirm whether recoverable Blackboard Learn backups exist (institutional, vendor-managed, or both) and remediate any gaps immediately; do not rely on the actor's assertion
  6. 6.Hunt for persistence mechanisms — look for unauthorized admin accounts, OAuth grants, API keys, scheduled tasks, or SSO trusts that could survive credential rotation
  7. 7.Notify the National Privacy Commission (NPC) within 72 hours if any personal data exposure is confirmed, as required by the Data Privacy Act of 2012 (RA 10173)
  8. 8.Prepare communications for students, parents, faculty, and staff — pre-draft notifications so they can be issued promptly if the breach is confirmed
  9. 9.Preserve evidence — archive the Facebook post, the Reddit discussion thread, and all referenced screenshots, and preserve server-side logs before retention windows expire

How to Prevent This Pattern

  1. 1.Strict separation between 2FA issuance and other administrative systems — the service that issues second-factor codes must not be compromisable through a general administrator account
  2. 2.Enforce phishing-resistant MFA on all administrative accounts (hardware security keys or platform authenticators rather than one-time codes where feasible)
  3. 3.Maintain independent, tested backups of LMS and student-records data — including offline or immutable copies not reachable from production administrator credentials
  4. 4.Audit administrator accounts regularly and remove dormant or unnecessary privileged access
  5. 5.Monitor for anomalous bulk exports, mass user changes, or admin activity from unusual locations or times
  6. 6.Engage vendor incident-response channels proactively — Blackboard (Anthology) and other SaaS providers offer breach-response support that many institutions underuse
  7. 7.Publish an authoritative security contact and disclosure policy so researchers and concerned parties have a channel that is not a public Facebook post
Davao CityDavao Regionprivate collegeBlackboard LearnLMSAlexandriaFacebookRedditunverifiedunconfirmed20262FA bypasspersistencestudent datafaculty dataadministrative access

Related Incidents

High

A state university in Ilocos Region

December 24, 2025

High

A state university in Metro Manila

July 4, 2026

Critical

A private Catholic university in Mindanao

June 2, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources