What Happened
On May 3, 2026, the Facebook account 4b1smo — a Nullsec Philippines-affiliated account that the main Nullsec page began publicly promoting earlier the same day ("follow this new page of Nos thanks") — published a short post addressed to a foundation college in Mindanao. The post text read:
"time to fix [institution] - Main Page weak security lolx"
The post linked to a single archive.md snapshot URL as visual evidence (URL withheld here because the snapshot contents name the institution). No additional information was provided: no vulnerability class, no claim of data exfiltration, no sample data, no specific URL on the institution's own infrastructure.
Nullsec Philippines re-shared the post on its main page within minutes, signaling endorsement of the claim by the broader collective.
Editorial Observation: Institutional Site Is Unreachable
As of May 3, 2026, 09:21 UTC (≈17:21 Manila time), SchoolBreach.org's editorial team independently observed that the institution's primary website is returning a Cloudflare 522 ("Connection timed out") error, indicating that Cloudflare can reach the institution's edge but the origin web server is not responding. The Cloudflare check shows Browser → Cloudflare working, and Host → Error.
A 522 error on its own does not establish what caused the outage. At least three explanations are plausible and we cannot distinguish between them from the public footprint alone:
- 1.Intentional takedown by the institution in response to the threat-actor post — the most operationally optimistic reading
- 2.Coincidental hosting outage unrelated to the post, given that 522 errors are also produced by routine origin-server problems (overload, maintenance, hosting-provider issues)
- 3.Exploitation-related disruption — if the "weak security" the actor referenced was demonstrated more aggressively than the single screenshot in the post implies, the origin server may have been left in a degraded state
We are not asserting which of these applies. We note the unavailability as a factual editorial observation, with the timestamp captured so that subsequent restoration can be cross-referenced.
What Is and Isn't Confirmed
Confirmed from the post itself:
- The threat actor publicly named the institution
- An archive.md snapshot of something on or about the institution's main page exists
- Nullsec Philippines re-shared the post, attributing it to the same operational collective behind other May 2 claims tracked on this site
Not confirmed:
- What "weak security" specifically means in this context — the post is a single line and a screenshot
- Whether the actor obtained any access to institutional systems beyond viewing or capturing the page
- Whether any data was exfiltrated — the post makes no such claim
- Whether the institution has been notified, is aware, or considers the post to constitute an incident
This entry is sourced solely from a threat-actor social-media post and is therefore tracked as investigating. Severity is recorded as low because the actor explicitly does not claim data exfiltration and the public footprint is limited to a single archive snapshot. The institution name has been withheld in public display.
Attacker
The post was published by 4b1smo, a Facebook account that Nullsec Philippines began publicly promoting on May 3, 2026, and that re-publishes content from the broader Nullsec collective. The same account also published the IBA College of Mindanao Inc. website breach (May 3) on the same day.
This places the post in the broader Nullsec / Fawkes Pilipinas / Crypt0nymz campaign documented across many entries on this site, including the DepEd Training Platform CSV leak (May 3), the MIMAROPA state university MIS defacement (May 2), the Laguna technical-institute off-domain claim (May 2), and the San Juan, Batangas Catholic K-12 claim (May 1).
Recommended Actions for the Institution
- 1.Audit the institution's main page — review the publicly-reachable homepage and any associated admin endpoints for the specific weakness the screenshot is likely to depict
- 2.Patch and update the web stack — ensure the CMS, plugins, server software, and any admin interface on the main page are fully patched
- 3.Implement file integrity monitoring — detect unauthorized changes to web files in real time, in case the actor returns with a more substantive defacement attempt
- 4.Audit credentials — confirm that no default or weak admin credentials are in use on the main site
- 5.Preserve evidence — save the archive snapshot and any related logs while the issue is being investigated
- 6.Monitor for follow-up posts — Nullsec Philippines and 4b1smo have demonstrated a pattern of follow-up posts when a first claim is thin; a second post within days could include sample data or a more specific access vector