SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Unauthorized Access
HighUnder Investigation

A state university in Western Visayas

The name of this institution has been withheld pending verification of the source. This entry is based on an unconfirmed report.

On May 20, 2026, the Facebook account '4b1smo' (a Nullsec Philippines-affiliated account) addressed a state university in Western Visayas with the one-word framing 'hmmm,' tagging the institution's official Public Information Office page. The post included a single composite screenshot of the institution's homepage with a Notepad window overlaid, captioned 'TANGINANG YAN HAHAHAH 4B1SMO' and headed 'DATABASE'. The Notepad listed four grades-related database names alongside the standard MySQL information_schema system database — a pattern consistent with the output of either a `SHOW DATABASES` command or a `SELECT schema_name FROM information_schema.schemata` query, both of which require either authenticated database access or an SQL-injection foothold to obtain from outside. No sample rows, no record count, no specific URL, and no exfiltrated file were attached. The institution name has been withheld in public display pending corroboration.

May 20, 2026Unknown (databases enumerated; no record count claimed) records affected

Key Facts

Date of Incident
May 20, 2026
Date Discovered
May 20, 2026
Records Affected
Unknown (databases enumerated; no record count claimed)
Source
4b1smo (Facebook)
Data Types Exposed
Database schema names (multiple grades databases enumerated alongside information_schema)
Response / Action Taken

No public statement from the institution has been observed at the time of this entry. Status will be updated if and when the school, NPC, or independent reporting confirms the access vector, the scope of database access, and remediation.

What Happened

On May 20, 2026, the Facebook account 4b1smo — already documented on this site as a Nullsec Philippines-affiliated account (prior 4b1smo entries) — published a short post addressed to a state university in Western Visayas. The post text consisted of a single word, "hmmm," followed by tags to the institution's official Public Information Office Facebook page.

Attached to the post was a single composite screenshot showing the institution's official homepage (the university's web banner and a featured student-spotlight slide are clearly visible) with a Windows Notepad window overlaid. The Notepad contents read:

```

TANGINANG YAN HAHAHAH 4B1SMO

DATABASE

[grades_db_1]

[grades_db_2]

[grades_db_3]

[grades_db_4]

information_schema

```

(The first line is a Filipino expletive directed at the institution followed by the actor's handle. The four bracketed names in the rendered post are concrete database names following a uniform `<institution>_grades<4-digit-id>` pattern; the exact strings are withheld here because they embed the institution's short name.)

The post does not include sample rows, a record count, a downloadable file, an affected URL on the institution's own infrastructure, or any description of the vulnerability class. The only evidence offered is the Notepad screenshot listing the database names.

What the Screenshot Actually Tells Us

The single most operationally significant detail in the screenshot is the presence of `information_schema` in the listed databases. `information_schema` is a standard, built-in MySQL/MariaDB system database that contains metadata about every other database on the server (schemas, tables, columns, privileges, character sets). It is not a database an application would ever store its own data in.

Its appearance in a flat list alongside four custom `<institution>_grades<id>` databases is consistent with exactly two things:

  1. 1.The output of a `SHOW DATABASES;` command executed against the MySQL/MariaDB server by an authenticated user
  2. 2.The output of a `SELECT schema_name FROM information_schema.schemata` query — the standard way to enumerate databases from inside a SQL-injection payload (often used with `UNION SELECT`)

Both require either valid database credentials or a SQL-injection foothold on an application that connects to that database server. They are not something an unauthenticated outsider can produce by visiting a public page.

The naming pattern of the four custom databases — `<institution>_grades` plus a short numeric ID — is also informative. This is not a single application database; it is a set of per-cohort or per-campus grades databases, likely one per unit of the multi-campus state university system. A schema like this often arises when each campus or satellite college runs its own grades application on a shared database server but with its own database.

What Is and Isn't Confirmed

Confirmed from the post itself:

  • A Nullsec Philippines-affiliated threat actor publicly named the institution
  • A screenshot exists showing the institution's homepage with an overlaid Notepad listing what appear to be database names from the institution's MySQL/MariaDB server
  • The list includes the `information_schema` system database, which is consistent only with authenticated database access or SQL-injection enumeration
  • The naming pattern implies multiple per-cohort or per-campus grades databases on the same server

Not confirmed:

  • The authenticity of the screenshot
  • Whether the actor has read access to the contents of any of the listed databases (the screenshot only shows database names, not table contents)
  • Whether any records have been exfiltrated — the post does not claim a record count and no sample is published
  • The specific vulnerability or credential the actor used to obtain the listing
  • Whether the institution has been notified or has begun any incident response
  • Whether the National Privacy Commission (NPC) has been notified

This entry is sourced solely from a threat-actor social-media post and is therefore tracked as investigating. Severity is recorded as high because (a) the listed databases are grades databases for a public state university, (b) enumeration of `information_schema` indicates a meaningful access foothold rather than a visual mockup, and (c) the multi-database pattern means a single exploit could affect every campus represented in the list. The institution name has been withheld in public display.

Attacker

The post was published by 4b1smo, a Facebook account already documented on this site as Nullsec Philippines-affiliated. The same account previously published the IBA College of Mindanao Inc. website breach (May 3) and the foundation college in Mindanao "weak security" claim (May 3), both re-shared by the Nullsec Philippines main page.

A separate post on the same 4b1smo profile, dated May 9, 2026, refers to "celebrating our upcoming 1st anniversary" against a Nullsec Philippines banner — placing the public-facing tempo of the account in line with the broader Nullsec / Fawkes Pilipinas / Crypt0nymz campaign documented across many entries on this site, including the DepEd Training Platform CSV leak (May 3), the MIMAROPA state university MIS defacement (May 2), the Laguna technical-institute off-domain claim (May 2), and the San Juan, Batangas Catholic K-12 claim (May 1).

Why This Matters

  • State-university grades data — even at the floor of what the screenshot proves (database names, not contents), the listed databases are explicitly grades databases for a public state university. If the actor's access extends to row-level reads, this is academic records for a multi-campus student population
  • Multi-database blast radius — the per-cohort or per-campus naming pattern means a SQL-injection or credential compromise on the shared database server could expose every campus represented in the list, not just one
  • information_schema as a foothold signal — enumeration via `information_schema` is the standard first step in a SQL-injection exploitation chain. An actor who can produce this listing is typically one query away from `SELECT table_name FROM information_schema.tables WHERE table_schema = '...'` and then row-level reads
  • No sample published — yet — the Nullsec / 4b1smo operational pattern documented elsewhere on this site is a thin first post followed within hours or days by a heavier follow-up (sample data, download link, or escalation by a sister account). The absence of a sample in this first post should not be read as the absence of access
  • Public Information Office tag — addressing the post to the institution's PIO page is consistent with the actor's prior framing of "time to fix" — a public, semi-coercive disclosure pattern rather than private notification

Recommended Actions for the Institution

  1. 1.Treat the screenshot as a credible foothold indicator — the appearance of `information_schema` alongside the custom databases is not something an unauthenticated outsider produces by visiting a public page. Assume either valid credentials are in third-party hands or a SQL-injection vulnerability exists on an application that connects to this database server
  2. 2.Identify which application(s) connect to the listed grades databases — every web app, portal, or report tool that uses one of those database credentials is a candidate entry point. Audit each for injection-class vulnerabilities (parameterize all queries; do not rely on a WAF as the primary defense)
  3. 3.Rotate database credentials for the affected server — every application database user, especially any with privileges beyond the single database it should own. The web application's database user should have minimal privileges (read-only on specific tables, not server-wide SELECT)
  4. 4.Audit MySQL/MariaDB access logs and the general query log — look for `information_schema` queries from web-facing application users, `UNION SELECT` patterns, and large or unusual reads against the listed grades databases over the past 90 days at minimum
  5. 5.Take any student-facing grades portal offline pending investigation — a maintenance page is preferable to leaving a known-attacked endpoint reachable while triage is underway
  6. 6.Notify the National Privacy Commission (NPC) within 72 hours under RA 10173 — the threshold is risk to personal data, not certainty of exfiltration. The actor's screenshot meets the risk threshold even without a published sample
  7. 7.Preserve evidence — save the post, the screenshot, and any related logs while the issue is being investigated; copies may be removed from Facebook or the source profile may be taken down
  8. 8.Monitor for follow-up posts — Nullsec Philippines and 4b1smo have demonstrated a pattern of follow-up posts when a first claim is thin; a subsequent post within days could include sample rows or a download link

How This Type of Attack Works

When a public-facing application is vulnerable to SQL injection and connects to a database server that hosts multiple databases under one MySQL/MariaDB user, the following enumeration is standard:

```sql

-- Step 1: list every database on the server

SELECT schema_name FROM information_schema.schemata;

-- Step 2: list every table in a chosen database

SELECT table_name FROM information_schema.tables WHERE table_schema = 'target_db';

-- Step 3: list every column in a chosen table

SELECT column_name FROM information_schema.columns WHERE table_schema = 'target_db' AND table_name = 'target_table';

-- Step 4: read rows

SELECT * FROM target_db.target_table LIMIT 100;

```

The screenshot in this post is consistent with the output of Step 1. The actor has chosen to publish only Step 1, which is enough to embarrass the institution and signal access without exposing student rows that would attract law-enforcement attention. The operational risk is that the same access vector supports Steps 2-4 immediately.

The defense is parameterized queries (prepared statements) on every application that touches the database, plus a per-application database user with privileges scoped to only the databases and tables that application needs. A single shared MySQL user with server-wide SELECT is the configuration that turns one application bug into a multi-campus grades leak.

Western Visayasstate universitydatabase enumerationinformation_schemaSQL injectiongradesNullsecPhilippines4b1smohacktivism2026unconfirmed

Related Incidents

Critical

A state university in Mindanao

May 10, 2026

Low

A foundation college in Mindanao

May 3, 2026

High

A state university in MIMAROPA

May 2, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources