What Happened
On May 1, 2026, a Facebook account using the name Nullsec Philippines publicly posted addressing a state university in Nueva Vizcaya. The post opened with "Greetings, [school name]", asked in Tagalog whether the pictured applicant had passed ("Ask ko lang po sana kung pumasa po ba siya?"), and joked about the applicant's profile photo. The post was signed with the hashtag #crypt0nymz and included greetz to CyberFr0st, Zeus, Lei\$, 0xTerror, 0xSeve, X10N, Nostra & Friends, B3RT, NSC, Ch4nc3ll0rx 1337, with special greetz to Fawkes Pilipinas and Crypt0nymz — the same constellation of handles credited in the private school in Rosario, Batangas claim and earlier incidents tracked on this site.
What the Screenshot Shows
A single screenshot accompanied the post, showing what appears to be the logged-in applicant view of the university's College Admission Test (CAT) portal:
- Left navigation: Home, My Application, Exam Result, My Profile, Change Password — consistent with a standard applicant self-service portal, not an administrative console
- Profile photo: the applicant's headshot, displayed in the sidebar avatar area, was shown in the post (and was the basis for the actor's mocking caption)
- Reference ID panel: instructional text reminding applicants to record their reference ID and not to share it
- Profile completion meters: Data Profile 50%, Educational Info 100%, Principal's Recommendation 100%, Profile Photo 100%
- Application Status: "PENDING" (yellow banner)
- Examination Details: campus, venue/room, date, and time of the assigned examination
The visible exam date in the screenshot is dated to a prior academic year, which suggests the accessed account may belong to a past or rolled-over applicant rather than a current cycle — but this does not reduce the privacy harm to the affected individual, whose photograph and exam assignment are now public.
What Is and Isn't Confirmed
Visible from the screenshot itself:
- A logged-in session on the university's CAT applicant portal
- One applicant's photograph, profile-completion state, application status, and exam assignment have been exposed publicly
- The interface shown is the applicant-facing portal (Home / My Application / Exam Result / My Profile), not an administrator dashboard
Not confirmed:
- The access vector — whether the actor obtained the applicant's credentials (phishing, credential stuffing, leaked password reuse), exploited an authentication flaw (broken auth, IDOR, session fixation), or has wider access they have not demonstrated
- Whether other applicant accounts are reachable by the same method
- Whether any administrative or back-end access has been obtained
- Whether the affected applicant has been notified by the institution
This entry is sourced solely from the threat actor's social-media post and is therefore tracked as investigating pending independent confirmation. The institution name has been redacted in public display, and the affected applicant's photograph is not reproduced on this site.
Why Single-Account Access Still Matters
A single compromised applicant account is a meaningfully smaller incident than a database extraction or admin takeover, but it is not a non-event:
- 1.The same access vector usually scales. Credential reuse, weak password policies, missing rate-limiting on login endpoints, and broken session handling rarely affect exactly one account — if the actor got in once, the path almost certainly works for other accounts
- 2.The disclosed data is sensitive. An applicant's photograph, exam venue, and date are sufficient to enable physical-world harassment, impersonation at the test site, or social-engineering of testing-center staff
- 3.The applicant is a third party who did not consent to having their photo and exam details published, and may be a minor or a recent-graduate (typical CAT cohort)
- 4.Public mockery compounds the harm. Even if the technical breach is small, the public-facing component (a viral post mocking an applicant by name and photo) creates reputational harm to both the individual and the institution
Recommended Actions for the Institution
Within the first hour:
- 1.Identify the affected applicant from the visible reference ID / exam assignment and contact them directly to acknowledge the exposure and offer support
- 2.Force a password reset on the affected account and invalidate all active sessions
- 3.Preserve evidence — capture web, application, and authentication logs for the affected account before they age out, and snapshot the current state of the portal
- 4.Check for the same access on other accounts — review login logs for unusual IPs, off-hours access, or repeated failed-then-successful logins across the applicant base
Within 72 hours (Data Privacy Act notification window):
- 1.Notify the National Privacy Commission (NPC) — under RA 10173, even single-record incidents involving sensitive personal information should be assessed for notification, and unconfirmed scope leans toward reporting rather than waiting
- 2.Notify the affected applicant in writing with a description of what was accessed, what is being done, and what they can do (change passwords on reused accounts, watch for phishing referencing their CAT details)
- 3.Issue a public statement confirming the incident, scope, and remediation steps — silence is consistently the response that produces the worst long-term reputational outcome
Within one week:
- 1.Determine the access vector — pull authentication logs for the affected account and check whether the login originated from a known applicant device, an unusual IP, a pattern consistent with credential stuffing, or a session-replay
- 2.Audit the CAT portal's authentication and session handling — verify that login is rate-limited, that passwords are stored with a modern hash (bcrypt/argon2), that session tokens are HttpOnly and rotated on login, and that there is no IDOR allowing one applicant to enumerate another's records
- 3.Implement multi-factor authentication for applicants — even a soft second factor (email or SMS OTP) materially raises the cost of credential-based intrusion
How to Prevent This Pattern
- 1.Treat applicant portals as production systems — admissions portals frequently sit on smaller budgets and older codebases than core academic systems, but they hold the same class of sensitive PII (photographs of minors, identification documents, exam logistics) and need the same hardening
- 2.Rate-limit and monitor authentication endpoints — credential stuffing is the single most common access vector for these incidents and is trivially detectable in logs if anyone is looking
- 3.Disable password reuse and enforce minimum strength — the most common applicant-account compromises trace back to passwords reused from previously-breached consumer services
- 4.Rotate / age out applicant accounts — once an admission cycle is closed, applicant accounts should be either archived behind authentication boundaries that no longer accept logins or migrated to enrolled-student accounts; long-tail accounts from prior cycles enlarge the attack surface for no operational benefit
- 5.Publish a security contact — a clear `security.txt` or advertised disclosure email gives genuine researchers a private channel and reduces the share of incidents that surface first on Facebook
Context
The institution is a state university in Region II (Cagayan Valley), with a College Admission Test (CAT) applicant portal as the affected system. The post follows the same pattern previously documented in the private school in Rosario, Batangas claim: a public Facebook post under handles linked to Nullsec Philippines / Fawkes Pilipinas / Crypt0nymz, screenshots that themselves leak some of the sensitive data, and no private notification to the institution before the public post.
Compared with that earlier claim, the evidence here is materially narrower — a single applicant view rather than an admin dashboard — and the entry is scoped accordingly. It is included in the tracker because (a) the access was clearly unauthorized, (b) a third party's PII (including photograph) was published without consent, and (c) the same actor group has a documented pattern of follow-on disclosures against the same target.