SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Website Defacement
LowUnder Investigation

A technical institute in Laguna

The name of this institution has been withheld pending verification of the source. This entry is based on an unconfirmed report.

On May 2, 2026, the Facebook account 'Nullsec Philippines' publicly posted a one-line claim addressed to a technical institute in Laguna and linked to a defacement page hosted off-domain on a third-party Philippine content platform — not on the institution's own infrastructure. The post also linked to a public archive snapshot of that page. The post is unusual within the Nullsec batch: no school-domain subdomain is named, no data is claimed, and no specific access vector is described — the entire public footprint of the claim is a single off-domain HTML file that mentions the school. The relationship between the institution and the third-party platform has not been independently verified, and the school has not issued a public statement. The institution name, the institution's city, and the specific URLs of both the defacement page and its archive snapshot have been withheld in public display pending corroboration, because each of those URLs would otherwise reverse-identify the school.

May 2, 2026None claimed by the threat actor; relationship to the named institution not independently verified records affected

Key Facts

Date of Incident
May 2, 2026
Date Discovered
May 2, 2026
Records Affected
None claimed by the threat actor; relationship to the named institution not independently verified
Source
Nullsec Philippines (Facebook)
Data Types Exposed
Website content (defacement page on a third-party host)Institution name appearing on attacker-controlled page
Response / Action Taken

No public statement from the institution has been observed at the time of this entry. The relationship between the institution and the third-party host where the defacement page resides has not been independently verified. Status will be updated if and when the school, NPC, the third-party host, or independent reporting clarifies the affiliation and the appropriate scope of the incident.

What Happened

On May 2, 2026, the Facebook account using the name Nullsec Philippines publicly posted a one-line claim addressed to a technical institute in Laguna. The post text read:

"another one [school name] NWYAHAHHAA"

The post linked to two URLs:

  • A single HTML file hosted on a third-party Philippine content platform (the host's identity and the file's path are withheld here because the URL itself names the school)
  • A public archive snapshot of that HTML file (URL withheld for the same reason)

The post was signed "- Nostra", a handle that recurs across Nullsec Philippines attribution lines.

What Makes This Disclosure Different: Off-Domain Defacement

Most Nullsec Philippines defacements tracked on this site place the marker page on the target's own infrastructure — see the Assumption College of Davao defacement (April 2), where the school's homepage itself was overwritten, or the MIMAROPA state university MIS defacement (May 2), where three of the school's MIS subdomains were named. This post is structurally different in three ways:

  1. 1.The defacement page is hosted on a third-party platform that the school may or may not have any relationship with, not on a domain controlled by or affiliated with the school
  2. 2.No school subdomain or URL is named as defaced — the actor did not point at any `*.[school].edu.ph` resource
  3. 3.No specific access vector, sample data, or technical detail is provided — the post is a one-line caption plus two links

Three readings are possible from the post structure alone:

  • The school uses the third-party platform as part of its web presence (a community portal, an LMS-adjacent page, or a hosted content area) and the file was uploaded via that platform's file-upload functionality
  • The defacement targets a page maintained by or about the school on a community platform the school does not directly control
  • The link is not a "site defacement" against the school in any meaningful sense — rather, the actor uploaded a marker page to a vulnerable third-party host and named the school in the page contents

The third reading is materially different in impact from the first two: it would mean the institution has no security incident to remediate, and the appropriate response is to ask the third-party host to remove the page and to monitor for further misuse of the institution's name.

What Is and Isn't Confirmed

Confirmed from the post itself:

  • The threat actor publicly named the institution
  • A single HTML file on a third-party Philippine content platform was created and references the institution
  • A public archive snapshot of that file exists

Not confirmed:

  • Whether the institution operates, owns, contracts with, or is otherwise affiliated with the third-party platform in any capacity
  • Whether the defacement page is reachable from any official institutional channel (school homepage, social account, email, document)
  • Whether the actor accessed any institutional system at all — the public footprint of the claim is consistent with an unauthenticated file upload to the third-party host alone, with no involvement of the school's own systems
  • Whether the school has been notified, is aware, or considers the post to constitute an incident affecting its systems

This entry is sourced solely from the threat actor's social-media post and is therefore tracked as investigating pending independent verification of the relationship between the institution and the third-party host. The institution name, the third-party platform's identity, and the URLs of both the defacement page and its archive snapshot have been withheld in public display.

Attacker

The post was signed Nostra under the Nullsec Philippines banner. The same handle and broader Nullsec collective have been tied to the Assumption College of Davao defacement (April 2), the La Union colleges shared-hosting compromise (March 29), and the broader Nullsec / Fawkes Pilipinas / Crypt0nymz campaign documented elsewhere in this dataset, including the MIMAROPA state university MIS defacement (May 2), the San Juan, Batangas Catholic K-12 claim (May 1), the Rosario, Batangas private school claim (April 28), and the Cebu City private university subdomain defacement (April 1).

Recommended Actions for the Institution

  1. 1.Determine whether the institution has any relationship with the third-party platform — review vendor records, IT inventories, and faculty / student-org accounts to establish whether the platform is officially or unofficially used in connection with the institution. (The platform's identity is recorded internally and can be shared with the institution on request.)
  2. 2.Request takedown from the third-party host — the platform should be asked to remove the uploaded file and to confirm whether the upload was made via an authenticated account (and if so, whose) or via an unauthenticated file-upload bug
  3. 3.Preserve evidence — save the public archive snapshot and the original defacement URL (and any audit logs the platform can provide) before they are deleted
  4. 4.Issue a short factual statement if asked by the community — even if the institution had no involvement, a public defacement page bearing the school's name materially affects reputation; a one-paragraph clarification is preferable to silence
  5. 5.Audit official institutional URLs — confirm that no `*.[school].edu.ph` page or institutional Facebook / LMS account is currently serving attacker content, even though the actor did not name any
  6. 6.Monitor for follow-up posts — Nullsec Philippines has historically returned to a target with additional disclosure or data sample posts when a first claim was thin; absence of follow-up after several days is a signal that the original post may have been opportunistic rather than evidence of deeper access
LagunaCALABARZONprivate schooltechnical institutewebsite defacementNullsecPhilippinesNostrathird-party hostoff-domainhacktivism2026unconfirmed

Related Incidents

High

A state university in Metro Manila

July 4, 2026

Low

A foundation college in Mindanao

May 3, 2026

High

A state university in MIMAROPA

May 2, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources