SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Website Defacement
HighUnder Investigation

A state university in MIMAROPA

The name of this institution has been withheld pending verification of the source. This entry is based on an unconfirmed report.

On May 2, 2026, the Facebook account 'Nullsec Philippines' publicly posted a defacement claim against a state university in the MIMAROPA region, listing several of the institution's internal management information system (MIS) subdomains — covering its assets, records, and library functions — as having received `nullsec.html` marker pages. The post also bundled roughly twenty additional defaced URLs on unrelated infrastructure, framing the operation as a coordinated mass-mirror. Multiple screenshots were attached, including images of the defacement page, what appear to be administrative views of an internal MIS dashboard, and an apparent employee identity record — evidence that, if authentic, suggests the actor's access went beyond simple web defacement. The post was signed 'Yasuo' and ended with 'mirror? done~'. The institution has not issued a public statement and the named subdomains have not been independently re-checked at the time of this entry. The university name, its province, the literal subdomain prefixes, and any individual identities visible in the attached screenshots have been withheld in public display pending corroboration.

May 2, 2026Not claimed numerically; attached screenshots suggest admin-tier visibility into the institution's MIS rather than defacement alone records affected

Key Facts

Date of Incident
May 2, 2026
Date Discovered
May 2, 2026
Records Affected
Not claimed numerically; attached screenshots suggest admin-tier visibility into the institution's MIS rather than defacement alone
Source
Nullsec Philippines (Facebook)
Data Types Exposed
Website content (defacement of internal MIS subdomains)Subdomain attribution (multiple institutional MIS subdomains by function)Apparent admin-dashboard screenshots of an internal MISApparent employee identity record (visible in attached screenshot)
Response / Action Taken

No public statement from the institution has been observed at the time of this entry. The current state of the three named MIS subdomains has not been independently re-checked. Status will be updated if and when the school, NPC, or independent reporting confirms the access vector, scope, and remediation.

What Happened

On May 2, 2026, the Facebook account using the name Nullsec Philippines publicly posted addressing a state university in the MIMAROPA region. The post named the institution and reported a defacement of multiple of its internal management information system (MIS) subdomains, covering its assets, records, and library functions. Each named subdomain was claimed to serve a `nullsec.html` marker page.

Below those institutional URLs, a separator line and roughly twenty additional URLs were listed, all pointing to `nullsec.html` marker pages on unrelated third-party infrastructure — a Philippine business platform stack (AMS, audit-portal, CMS, CRMS, DMS, ERP, files, LMS, PLP, POS, QR-code, server, SIS subdomains) and one separate marketing-and-mail domain. The post closed with "mirror? done~" and was signed "Yasuo | Nullsec Philippines".

The literal institutional subdomain prefixes and hostnames are not reproduced here: each prefix on its own is distinctive enough to reverse-identify the institution via DNS or search, which would defeat the anonymization applied to the rest of this entry.

Attached Evidence: Screenshots Suggest More Than Defacement

The post included multiple attached images. Reviewed at the institutional level (specific identities, tables, and dashboard contents are not reproduced here), the attachments include:

  • The defacement page itself, showing the Nullsec Philippines branding placed on at least one of the named MIS subdomains
  • What appears to be an administrative view of an internal MIS, including list-of-records dashboards and configuration screens consistent with logged-in staff access rather than a public student-facing portal
  • An apparent employee identity record (an ID-card style image of one individual)
  • What appear to be data tables consistent with rows of MIS records, partially obscured

If the screenshots are authentic and depict the institution's own systems, the appropriate read is that the actor obtained more than the file-system access required to upload a marker page — they obtained at least browse-level visibility into the MIS itself, and very likely the credentials or session needed to reach that view. This is materially more serious than the marker-page defacement implied by the URL list alone, and is the basis for marking this entry severity: high rather than the low/medium typical of a pure defacement.

The individual identity visible in the ID-card screenshot is not reproduced or named anywhere on this site. Per our methodology, no employee personal details are published except for publicly identified spokespersons acting in their official capacity.

What Makes This Disclosure Different: Bundled Mass-Mirror

Most Nullsec Philippines defacement claims tracked on this site target a single institution at a time — see the Assumption College of Davao defacement (April 2), the Cebu City private university subdomain defacement (April 1), and the La Union colleges defacement (March 29). This post is structurally different: the university's three MIS subdomains appear at the top of a single mass-mirror dump that also touches an unrelated business platform stack.

Two readings are possible from the post structure alone:

  1. 1.Shared hosting or shared deployment infrastructure — the bundling implies the actor pivoted across multiple targets from a single foothold, similar to the shared hosting compromise that took down two La Union colleges in March
  2. 2.Independent compromises mirrored together for visibility — the actor may have separately defaced each target and grouped them in one post for reach

Neither reading has been independently confirmed. The implication for the university is the same either way: each named subdomain should be treated as having received attacker-controlled content until proven otherwise.

What Is and Isn't Confirmed

Confirmed from the post and its attached screenshots:

  • The threat actor publicly named the institution and listed three of its MIS subdomains as affected
  • The actor claims to have placed `nullsec.html` marker pages, consistent with prior Nullsec Philippines defacement methodology
  • The post is part of a larger mirror dump that the actor ties to the same campaign
  • The post includes screenshots that, taken at face value, depict an administrative view of an internal MIS — including dashboard interfaces and at least one apparent employee identity record. If authentic, this evidences access well beyond file-upload of a marker page

Not confirmed:

  • Whether the named subdomains currently serve attacker content or have been restored
  • The vulnerability class used (file upload bug, default credentials, exposed CMS endpoint, shared infrastructure compromise, etc.) — the actor did not describe the technical mechanism
  • Whether write access to the web layer extended to the underlying student, records, or library databases — admin-tier visibility implied by the screenshots does not by itself prove bulk exfiltration, but it is consistent with the level of access required to read or modify records in the MIS
  • Whether the screenshots are authentic captures from the institution's own systems rather than fabricated or sourced from a different deployment of the same software
  • Whether the university has been notified, has notified the National Privacy Commission (NPC), or has begun remediation

This entry is sourced solely from the threat actor's social-media post and is therefore tracked as investigating pending independent verification. The institution name has been withheld in public display.

Attacker

The post was signed Yasuo with a co-attribution line of Nullsec Philippines. The same handle and broader Nullsec collective have been tied to the Assumption College of Davao defacement (April 2), the La Union colleges shared-hosting compromise (March 29), and the broader Nullsec / Fawkes Pilipinas / Crypt0nymz campaign documented elsewhere in this dataset, including the San Juan, Batangas Catholic K-12 claim (May 1), the Rosario, Batangas private school claim (April 28), and the Cebu City private university subdomain defacement (April 1).

Recommended Actions for the Institution

  1. 1.Take the affected MIS subdomains offline immediately — replacing them with a maintenance page is preferable to leaving subdomains capable of serving attacker-uploaded content reachable while the access vector is being scoped
  2. 2.Preserve web, application, file-system, and authentication logs for the three named subdomains and for any shared web server or CMS that hosts them — at minimum the past 30 days, before logs age out
  3. 3.Treat backend databases as in-scope until proven otherwise — the access required to upload a defacement page to an MIS subdomain often extends to the database that subdomain reads from. Audit the records, library, and assets databases for unauthorized reads, writes, or new accounts
  4. 4.Force credential and session resets on every administrative account that touches the affected subdomains, and rotate any shared service credentials they use
  5. 5.Assess whether other MIS subdomains share the same access vector — if all three named subdomains were reached via a single file-upload bug, default credential, or shared CMS instance, the rest of the institution's web estate likely has the same exposure
  6. 6.Notify the National Privacy Commission (NPC) within 72 hours under RA 10173 — defacement of subdomains explicitly named "records," "library," and "assets" creates reasonable suspicion that personal data was placed at risk. The notification threshold is risk to personal data, not the institution's certainty that exfiltration occurred
  7. 7.Issue a public statement acknowledging the incident and describing remediation — silence in the face of a public defacement claim creates space for misinformation and erodes community trust
MIMAROPAstate universitywebsite defacementNullsecPhilippinesYasuoMIS subdomainsmass mirrorhacktivism2026unconfirmed

Related Incidents

Critical

A state university in Mindanao

May 10, 2026

High

A state university in Metro Manila

July 4, 2026

High

A state university in Western Visayas

May 20, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources