What Happened
On May 20, 2026, the Facebook account 4b1smo — already documented on this site as a Nullsec Philippines-affiliated account (prior 4b1smo entries) — published a short post addressed to a state university in Western Visayas. The post text consisted of a single word, "hmmm," followed by tags to the institution's official Public Information Office Facebook page.
Attached to the post was a single composite screenshot showing the institution's official homepage (the university's web banner and a featured student-spotlight slide are clearly visible) with a Windows Notepad window overlaid. The Notepad contents read:
```
TANGINANG YAN HAHAHAH 4B1SMO
DATABASE
[grades_db_1]
[grades_db_2]
[grades_db_3]
[grades_db_4]
information_schema
```
(The first line is a Filipino expletive directed at the institution followed by the actor's handle. The four bracketed names in the rendered post are concrete database names following a uniform `<institution>_grades<4-digit-id>` pattern; the exact strings are withheld here because they embed the institution's short name.)
The post does not include sample rows, a record count, a downloadable file, an affected URL on the institution's own infrastructure, or any description of the vulnerability class. The only evidence offered is the Notepad screenshot listing the database names.
What the Screenshot Actually Tells Us
The single most operationally significant detail in the screenshot is the presence of `information_schema` in the listed databases. `information_schema` is a standard, built-in MySQL/MariaDB system database that contains metadata about every other database on the server (schemas, tables, columns, privileges, character sets). It is not a database an application would ever store its own data in.
Its appearance in a flat list alongside four custom `<institution>_grades<id>` databases is consistent with exactly two things:
- 1.The output of a `SHOW DATABASES;` command executed against the MySQL/MariaDB server by an authenticated user
- 2.The output of a `SELECT schema_name FROM information_schema.schemata` query — the standard way to enumerate databases from inside a SQL-injection payload (often used with `UNION SELECT`)
Both require either valid database credentials or a SQL-injection foothold on an application that connects to that database server. They are not something an unauthenticated outsider can produce by visiting a public page.
The naming pattern of the four custom databases — `<institution>_grades` plus a short numeric ID — is also informative. This is not a single application database; it is a set of per-cohort or per-campus grades databases, likely one per unit of the multi-campus state university system. A schema like this often arises when each campus or satellite college runs its own grades application on a shared database server but with its own database.
What Is and Isn't Confirmed
Confirmed from the post itself:
- A Nullsec Philippines-affiliated threat actor publicly named the institution
- A screenshot exists showing the institution's homepage with an overlaid Notepad listing what appear to be database names from the institution's MySQL/MariaDB server
- The list includes the `information_schema` system database, which is consistent only with authenticated database access or SQL-injection enumeration
- The naming pattern implies multiple per-cohort or per-campus grades databases on the same server
Not confirmed:
- The authenticity of the screenshot
- Whether the actor has read access to the contents of any of the listed databases (the screenshot only shows database names, not table contents)
- Whether any records have been exfiltrated — the post does not claim a record count and no sample is published
- The specific vulnerability or credential the actor used to obtain the listing
- Whether the institution has been notified or has begun any incident response
- Whether the National Privacy Commission (NPC) has been notified
This entry is sourced solely from a threat-actor social-media post and is therefore tracked as investigating. Severity is recorded as high because (a) the listed databases are grades databases for a public state university, (b) enumeration of `information_schema` indicates a meaningful access foothold rather than a visual mockup, and (c) the multi-database pattern means a single exploit could affect every campus represented in the list. The institution name has been withheld in public display.
Attacker
The post was published by 4b1smo, a Facebook account already documented on this site as Nullsec Philippines-affiliated. The same account previously published the IBA College of Mindanao Inc. website breach (May 3) and the foundation college in Mindanao "weak security" claim (May 3), both re-shared by the Nullsec Philippines main page.
A separate post on the same 4b1smo profile, dated May 9, 2026, refers to "celebrating our upcoming 1st anniversary" against a Nullsec Philippines banner — placing the public-facing tempo of the account in line with the broader Nullsec / Fawkes Pilipinas / Crypt0nymz campaign documented across many entries on this site, including the DepEd Training Platform CSV leak (May 3), the MIMAROPA state university MIS defacement (May 2), the Laguna technical-institute off-domain claim (May 2), and the San Juan, Batangas Catholic K-12 claim (May 1).
Why This Matters
- State-university grades data — even at the floor of what the screenshot proves (database names, not contents), the listed databases are explicitly grades databases for a public state university. If the actor's access extends to row-level reads, this is academic records for a multi-campus student population
- Multi-database blast radius — the per-cohort or per-campus naming pattern means a SQL-injection or credential compromise on the shared database server could expose every campus represented in the list, not just one
- information_schema as a foothold signal — enumeration via `information_schema` is the standard first step in a SQL-injection exploitation chain. An actor who can produce this listing is typically one query away from `SELECT table_name FROM information_schema.tables WHERE table_schema = '...'` and then row-level reads
- No sample published — yet — the Nullsec / 4b1smo operational pattern documented elsewhere on this site is a thin first post followed within hours or days by a heavier follow-up (sample data, download link, or escalation by a sister account). The absence of a sample in this first post should not be read as the absence of access
- Public Information Office tag — addressing the post to the institution's PIO page is consistent with the actor's prior framing of "time to fix" — a public, semi-coercive disclosure pattern rather than private notification
Recommended Actions for the Institution
- 1.Treat the screenshot as a credible foothold indicator — the appearance of `information_schema` alongside the custom databases is not something an unauthenticated outsider produces by visiting a public page. Assume either valid credentials are in third-party hands or a SQL-injection vulnerability exists on an application that connects to this database server
- 2.Identify which application(s) connect to the listed grades databases — every web app, portal, or report tool that uses one of those database credentials is a candidate entry point. Audit each for injection-class vulnerabilities (parameterize all queries; do not rely on a WAF as the primary defense)
- 3.Rotate database credentials for the affected server — every application database user, especially any with privileges beyond the single database it should own. The web application's database user should have minimal privileges (read-only on specific tables, not server-wide SELECT)
- 4.Audit MySQL/MariaDB access logs and the general query log — look for `information_schema` queries from web-facing application users, `UNION SELECT` patterns, and large or unusual reads against the listed grades databases over the past 90 days at minimum
- 5.Take any student-facing grades portal offline pending investigation — a maintenance page is preferable to leaving a known-attacked endpoint reachable while triage is underway
- 6.Notify the National Privacy Commission (NPC) within 72 hours under RA 10173 — the threshold is risk to personal data, not certainty of exfiltration. The actor's screenshot meets the risk threshold even without a published sample
- 7.Preserve evidence — save the post, the screenshot, and any related logs while the issue is being investigated; copies may be removed from Facebook or the source profile may be taken down
- 8.Monitor for follow-up posts — Nullsec Philippines and 4b1smo have demonstrated a pattern of follow-up posts when a first claim is thin; a subsequent post within days could include sample rows or a download link
How This Type of Attack Works
When a public-facing application is vulnerable to SQL injection and connects to a database server that hosts multiple databases under one MySQL/MariaDB user, the following enumeration is standard:
```sql
-- Step 1: list every database on the server
SELECT schema_name FROM information_schema.schemata;
-- Step 2: list every table in a chosen database
SELECT table_name FROM information_schema.tables WHERE table_schema = 'target_db';
-- Step 3: list every column in a chosen table
SELECT column_name FROM information_schema.columns WHERE table_schema = 'target_db' AND table_name = 'target_table';
-- Step 4: read rows
SELECT * FROM target_db.target_table LIMIT 100;
```
The screenshot in this post is consistent with the output of Step 1. The actor has chosen to publish only Step 1, which is enough to embarrass the institution and signal access without exposing student rows that would attract law-enforcement attention. The operational risk is that the same access vector supports Steps 2-4 immediately.
The defense is parameterized queries (prepared statements) on every application that touches the database, plus a per-application database user with privileges scoped to only the databases and tables that application needs. A single shared MySQL user with server-wide SELECT is the configuration that turns one application bug into a multi-campus grades leak.