SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Unauthorized Access
MediumUnder Investigation

A state university in Nueva Vizcaya

The name of this institution has been withheld pending verification of the source. This entry is based on an unconfirmed report.

On May 1, 2026, the threat-actor account 'Nullsec Philippines' posted on Facebook addressing a state university in Nueva Vizcaya, attaching a screenshot of a logged-in session on the institution's College Admission Test (CAT) applicant portal. The screenshot shows a single applicant's profile — including the applicant's photograph, reference ID area, profile-completion status, and exam venue/date/time assignments — published publicly with mocking commentary. Only single-account access is demonstrated; broader administrative compromise has not been shown. The institution name has been withheld in public display pending independent confirmation, and the affected applicant's identifying photograph is not reproduced on this site.

May 1, 2026At least 1 applicant account (broader scope unconfirmed) records affected

Key Facts

Date of Incident
May 1, 2026
Date Discovered
May 1, 2026
Records Affected
At least 1 applicant account (broader scope unconfirmed)
Source
Nullsec Philippines / Crypt0nymz (Facebook)
Data Types Exposed
Applicant photoReference IDProfile completion statusExam venue and room assignmentExam date and timeCampus assignment
Response / Action Taken

No public statement from the institution has been observed at the time of this entry. Status will be updated if and when the university, NPC, or independent reporting confirms the access vector, scope, and remediation.

What Happened

On May 1, 2026, a Facebook account using the name Nullsec Philippines publicly posted addressing a state university in Nueva Vizcaya. The post opened with "Greetings, [school name]", asked in Tagalog whether the pictured applicant had passed ("Ask ko lang po sana kung pumasa po ba siya?"), and joked about the applicant's profile photo. The post was signed with the hashtag #crypt0nymz and included greetz to CyberFr0st, Zeus, Lei\$, 0xTerror, 0xSeve, X10N, Nostra & Friends, B3RT, NSC, Ch4nc3ll0rx 1337, with special greetz to Fawkes Pilipinas and Crypt0nymz — the same constellation of handles credited in the private school in Rosario, Batangas claim and earlier incidents tracked on this site.

What the Screenshot Shows

A single screenshot accompanied the post, showing what appears to be the logged-in applicant view of the university's College Admission Test (CAT) portal:

  • Left navigation: Home, My Application, Exam Result, My Profile, Change Password — consistent with a standard applicant self-service portal, not an administrative console
  • Profile photo: the applicant's headshot, displayed in the sidebar avatar area, was shown in the post (and was the basis for the actor's mocking caption)
  • Reference ID panel: instructional text reminding applicants to record their reference ID and not to share it
  • Profile completion meters: Data Profile 50%, Educational Info 100%, Principal's Recommendation 100%, Profile Photo 100%
  • Application Status: "PENDING" (yellow banner)
  • Examination Details: campus, venue/room, date, and time of the assigned examination

The visible exam date in the screenshot is dated to a prior academic year, which suggests the accessed account may belong to a past or rolled-over applicant rather than a current cycle — but this does not reduce the privacy harm to the affected individual, whose photograph and exam assignment are now public.

What Is and Isn't Confirmed

Visible from the screenshot itself:

  • A logged-in session on the university's CAT applicant portal
  • One applicant's photograph, profile-completion state, application status, and exam assignment have been exposed publicly
  • The interface shown is the applicant-facing portal (Home / My Application / Exam Result / My Profile), not an administrator dashboard

Not confirmed:

  • The access vector — whether the actor obtained the applicant's credentials (phishing, credential stuffing, leaked password reuse), exploited an authentication flaw (broken auth, IDOR, session fixation), or has wider access they have not demonstrated
  • Whether other applicant accounts are reachable by the same method
  • Whether any administrative or back-end access has been obtained
  • Whether the affected applicant has been notified by the institution

This entry is sourced solely from the threat actor's social-media post and is therefore tracked as investigating pending independent confirmation. The institution name has been redacted in public display, and the affected applicant's photograph is not reproduced on this site.

Why Single-Account Access Still Matters

A single compromised applicant account is a meaningfully smaller incident than a database extraction or admin takeover, but it is not a non-event:

  1. 1.The same access vector usually scales. Credential reuse, weak password policies, missing rate-limiting on login endpoints, and broken session handling rarely affect exactly one account — if the actor got in once, the path almost certainly works for other accounts
  2. 2.The disclosed data is sensitive. An applicant's photograph, exam venue, and date are sufficient to enable physical-world harassment, impersonation at the test site, or social-engineering of testing-center staff
  3. 3.The applicant is a third party who did not consent to having their photo and exam details published, and may be a minor or a recent-graduate (typical CAT cohort)
  4. 4.Public mockery compounds the harm. Even if the technical breach is small, the public-facing component (a viral post mocking an applicant by name and photo) creates reputational harm to both the individual and the institution

Recommended Actions for the Institution

Within the first hour:

  1. 1.Identify the affected applicant from the visible reference ID / exam assignment and contact them directly to acknowledge the exposure and offer support
  2. 2.Force a password reset on the affected account and invalidate all active sessions
  3. 3.Preserve evidence — capture web, application, and authentication logs for the affected account before they age out, and snapshot the current state of the portal
  4. 4.Check for the same access on other accounts — review login logs for unusual IPs, off-hours access, or repeated failed-then-successful logins across the applicant base

Within 72 hours (Data Privacy Act notification window):

  1. 1.Notify the National Privacy Commission (NPC) — under RA 10173, even single-record incidents involving sensitive personal information should be assessed for notification, and unconfirmed scope leans toward reporting rather than waiting
  2. 2.Notify the affected applicant in writing with a description of what was accessed, what is being done, and what they can do (change passwords on reused accounts, watch for phishing referencing their CAT details)
  3. 3.Issue a public statement confirming the incident, scope, and remediation steps — silence is consistently the response that produces the worst long-term reputational outcome

Within one week:

  1. 1.Determine the access vector — pull authentication logs for the affected account and check whether the login originated from a known applicant device, an unusual IP, a pattern consistent with credential stuffing, or a session-replay
  2. 2.Audit the CAT portal's authentication and session handling — verify that login is rate-limited, that passwords are stored with a modern hash (bcrypt/argon2), that session tokens are HttpOnly and rotated on login, and that there is no IDOR allowing one applicant to enumerate another's records
  3. 3.Implement multi-factor authentication for applicants — even a soft second factor (email or SMS OTP) materially raises the cost of credential-based intrusion

How to Prevent This Pattern

  1. 1.Treat applicant portals as production systems — admissions portals frequently sit on smaller budgets and older codebases than core academic systems, but they hold the same class of sensitive PII (photographs of minors, identification documents, exam logistics) and need the same hardening
  2. 2.Rate-limit and monitor authentication endpoints — credential stuffing is the single most common access vector for these incidents and is trivially detectable in logs if anyone is looking
  3. 3.Disable password reuse and enforce minimum strength — the most common applicant-account compromises trace back to passwords reused from previously-breached consumer services
  4. 4.Rotate / age out applicant accounts — once an admission cycle is closed, applicant accounts should be either archived behind authentication boundaries that no longer accept logins or migrated to enrolled-student accounts; long-tail accounts from prior cycles enlarge the attack surface for no operational benefit
  5. 5.Publish a security contact — a clear `security.txt` or advertised disclosure email gives genuine researchers a private channel and reduces the share of incidents that surface first on Facebook

Context

The institution is a state university in Region II (Cagayan Valley), with a College Admission Test (CAT) applicant portal as the affected system. The post follows the same pattern previously documented in the private school in Rosario, Batangas claim: a public Facebook post under handles linked to Nullsec Philippines / Fawkes Pilipinas / Crypt0nymz, screenshots that themselves leak some of the sensitive data, and no private notification to the institution before the public post.

Compared with that earlier claim, the evidence here is materially narrower — a single applicant view rather than an admin dashboard — and the entry is scoped accordingly. It is included in the tracker because (a) the access was clearly unauthorized, (b) a third party's PII (including photograph) was published without consent, and (c) the same actor group has a documented pattern of follow-on disclosures against the same target.

Cagayan ValleyRegion IIstate universityadmission test portalapplicant PIIaccount compromiseunauthorized accessCrypt0nymzNullsecPhilippinesFawkes Pilipinassocial mediaunconfirmed2026

Related Incidents

High

A Christian school in Imus City, Cavite

May 1, 2026

High

A Catholic K-12 institution in San Juan, Batangas

May 1, 2026

High

A private school in Rosario, Batangas

April 28, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources