Single-source notice: This incident is based solely on an unverified Facebook post by a threat actor claiming to sell the data. No sample has been publicly reviewed, no affected institution has confirmed the breach, and no independent source has corroborated the claim. As of April 23, 2026, the original Facebook listing is no longer publicly visible — it may have been removed by the seller, by Facebook for a terms-of-service violation, or in response to action by the named institution; the cause of the removal has not been established. Removal of the public listing does not by itself resolve the underlying risk, since the actor retains whatever data underlay the post. The school's name has been redacted pending verification.
What Happened
On April 21, 2026, a Facebook account operating under the alias "L1NX" posted a public "Selling Database" listing naming an international school in Quezon City. The post was shared via Facebook's Messenger-embedded browser view of mobile.facebook.com and invited interested buyers to send a private message for a sample.
The seller offered the data as a "PDF print base" for USD 133, described as "including Close-Knits," and directed potential buyers to contact them by PM for a sample.
What the Seller Claims to Have
According to the listing, the database allegedly includes:
- Full names
- Home addresses
- Phone numbers
- Personal file manager contents
- Identification card data ("An international school in Quezon City" in the listing)
- Parents' names
- Registry records
- In/out system (attendance / entry–exit logs)
- An international school in Quezon City records
- Enrollment data
- Virtual hub management information
The listing also cites what appear to be cloud-service account identifiers — two admin/sales email addresses on the school's domain alongside short alphanumeric strings that resemble account IDs or passwords. The specific values are intentionally not reproduced here to avoid amplifying credential exposure.
What Is Not Known
- No sample has been reviewed. The seller only offers samples via private message, so the actual contents, recency, and record count are unverified.
- Record count is unknown. The post does not claim a specific number of affected students, parents, or staff.
- Initial access vector is unknown. The post does not describe how the data was obtained. The presence of what appear to be cloud-service credentials alongside "file manager" and "virtual hub" references raises the possibility of compromised administrator accounts or cloud storage, but this is not confirmed.
- The institution has not responded publicly as of April 21, 2026.
Update — April 29, 2026
Upon revisiting, the L1NX Facebook account is still active, but all of its posts — including the original sale listing — have been removed. The wholesale removal (rather than the deletion of just the sale post) is consistent with the seller scrubbing their public history rather than a single post being taken down by Facebook moderation, but the cause cannot be confirmed. The takedown does not, on its own, confirm or refute the underlying breach claim — the data, if it existed, may still be in the seller's possession or may have been transacted privately before removal.
We did not archive a copy of the original listing while it was live, so the description above is reconstructed from contemporaneous notes rather than a preserved screenshot or web-archive snapshot.
Why This Listing Warrants Attention
Even before verification, the structure of the listing suggests insider-grade familiarity with the school's systems:
- Use of internal system names — references to specific platforms (registry, in/out system, virtual hub, An international school in Quezon City) mirror the naming conventions schools use for their own internal tools
- Administrator email addresses — the listing names addresses on the school's own domain, which, whether authentic or fabricated, are consistent with data someone with internal access would cite
- Bundled "print base" format — packaging data as a ready-to-print PDF aligns with the kind of export a user with legitimate access to an admin portal could produce
None of this confirms the breach. It does, however, justify the institution treating the claim seriously pending internal investigation.
Recommended Actions for the Institution
- 1.Rotate the credentials named in the listing immediately — even if the breach claim is unverified, the specific admin email addresses mentioned should have passwords reset, sessions invalidated, and multi-factor authentication enforced
- 2.Audit cloud-service access logs — review sign-ins, downloads, and API activity on the accounts named in the listing (and equivalent service accounts) for anomalous access
- 3.Check for bulk export events — look for any PDF-print, database-export, or file-manager bulk-download events in the last 30–90 days
- 4.Notify the National Privacy Commission (NPC) within 72 hours if a breach is confirmed, as required by the Data Privacy Act of 2012 (RA 10173)
- 5.Request a sample from the seller through authorized channels — law enforcement or a retained incident-response firm can pose as a buyer to evaluate the sample without funding the sale
- 6.Prepare parent and student notifications — even while investigating, draft notifications so they can go out quickly if the claim is confirmed
- 7.Preserve evidence — screenshot the listing, archive the Facebook post, and preserve all relevant logs before they roll off retention windows
How to Prevent This Pattern
- 1.Principle of least privilege — administrator accounts should only be able to export data they need for their role; bulk "print all" features should be gated and logged
- 2.Multi-factor authentication on all admin accounts — including cloud storage, student information systems, and any virtual-hub or LMS admin panels
- 3.Export and download monitoring — alert on unusually large or off-hours exports from admin portals
- 4.Offboarding procedures — immediately revoke credentials and cloud access for departing staff, and audit their recent activity
- 5.Dark-web and social-media monitoring — subscribe to services that surface listings mentioning the school's domain or brand names
- 6.Data minimization — avoid centralizing parent phone numbers, addresses, and ID-card data in systems that don't need them