What Happened
On April 1, 2026, the threat actor group Fawkes Pilipinas posted on their Facebook page claiming to have defaced a subdomain of the A private university in Cebu City in Cebu City.
The group's message was addressed directly to the university:
"Greetings A private university in Cebu City. We have identified some vulnerabilities within your subdomain. We strongly advise that these issues be patched immediately to prevent any potential risks or incidents."
The post also referenced concerns about tuition costs, stating that "some students have expressed difficulty with the cost and feel they are unable to meet expected educational standards." The attackers claimed no data was harmed and that the action was "only to raise awareness."
What Was Compromised
Based on the threat actor's claim:
- Subdomain defacement — a defacement page was uploaded to the A private university in Cebu City Publishing House subdomain (A private university in Cebu City)
- No data exfiltration claimed — the group stated "no data has been harmed" and that they "simply left our names within your system"
- Vulnerability identified — the attackers claimed to have found exploitable vulnerabilities in the subdomain
The defacement page displayed the Fawkes Pilipinas logo with the text "Infiltrated By Fawkes Pilipinas" along with a message about tuition fees and education quality concerns at the university.
Attacker
The defacement was posted by Fawkes Pilipinas and signed by 0xTerror. The defacement page listed group members: 0xSeve, 0xTerror, X10n, Ch4nc3ll0rx.1337, Lei$, 0xZh3n, Crypt0nymz, and Ph.Sydn3y.
Special greetings were included for: norxrcy, Nullsec Philippines, Zeus, CyberfrOst, DefacerPH, TN$, and Honksec.
Several of these handles are associated with previous Nullsec Philippines operations, including the MBHTE Bangsamoro breach on March 31, 2026, and the La Union colleges breach on March 29, 2026 — indicating an escalating campaign by this group.
Why This Breach Matters
- Major private university — a well-established private university in Cebu City
- Subdomain vulnerability — the attackers exploited a subdomain (Publishing House), highlighting how ancillary web properties can be overlooked in security planning
- Escalating campaign — this is the third Fawkes Pilipinas / Nullsec Philippines attack against a Philippine educational institution in four days (La Union on March 29, MBHTE on March 31, A private university in Cebu City on April 1)
- Hacktivist messaging — the group embedded grievances about tuition costs and education quality, using the defacement as a platform for social commentary
How to Prevent This
- 1.Audit all subdomains — maintain an inventory of all subdomains and ensure each meets the same security standards as the main website
- 2.Patch and update web applications — ensure CMS platforms, plugins, and server software on all subdomains are up to date
- 3.Implement file integrity monitoring — detect unauthorized changes to web files in real time
- 4.Use a Web Application Firewall (WAF) — protect all public-facing subdomains, not just the primary domain
- 5.Restrict file upload capabilities — prevent unauthorized users from uploading files to web-accessible directories
- 6.Conduct regular penetration testing — include all subdomains in the scope of security assessments