University of the Philippines Tacloban (UP Tacloban)

What Happened

Philippine cybersecurity monitoring group Deep Web Konek (DWK) reported that a threat actor using the alias "jamesyu" claimed to be selling data extracted from the University of the Philippines (UP) Tacloban's Learning Management System (LMS).

The threat actor claimed the dataset contains more than 1,600 rows of student data. Sample data shared as proof showed records from BA Psychology and BA (Social Sciences) Political Science programs, with student locations including Tacloban City and Balangiga. Profile images were linked directly to the official LMS domain (lms.uptacloban.edu.ph), lending credibility to the claim.

As of the time of reporting, there has been no official statement from the university regarding the alleged breach.

Data Exposed

The alleged leak included:

• Full student names
• Official university email addresses (@up.edu.ph domain)
• Degree programs and department affiliations
• City locations
• Profile pictures
• Interest information

Why This Breach Is Concerning

The threat actor specifically noted that the dataset can be leveraged to generate institutional email addresses by following a predictable format. This means attackers could:

• Create targeted phishing campaigns — using real student names with corresponding @up.edu.ph email addresses to craft highly convincing phishing emails
• Impersonate students — university email addresses are often used for identity verification with other services (student discounts, software licenses, etc.)
• Access additional systems — if UP Tacloban uses single sign-on (SSO), compromised LMS credentials could grant access to other university services

This is the second UP campus to be breached in 2025, following the UP Mindanao data breach in August 2025, raising concerns about cybersecurity posture across the UP System's regional campuses.

How This Attack Likely Works

LMS platforms are common targets because they contain structured user databases accessible through web interfaces:

• LMS vulnerability exploitation — unpatched LMS platforms (Moodle, Canvas, custom systems) often have known vulnerabilities that allow data extraction
• API abuse — many LMS platforms expose user data through APIs that may lack proper authentication or rate limiting
• Credential stuffing — using previously leaked credentials to access admin or teacher accounts with user export privileges
• SQL injection — exploiting input fields in the LMS to query the underlying database directly

How to Prevent This

1. 1.Keep LMS platforms updated — apply security patches immediately. Subscribe to your LMS vendor's security advisories
2. 2.Restrict API access — ensure LMS APIs require authentication and implement rate limiting to prevent bulk data extraction
3. 3.Implement unpredictable email formats — if email addresses follow a predictable pattern (e.g., firstname.lastname@up.edu.ph), consider adding random elements to prevent address generation
4. 4.Enable MFA on all LMS accounts — particularly for admin and instructor accounts that can export student data
5. 5.Audit user export permissions — restrict the ability to bulk-export student data to only essential administrative roles
6. 6.Monitor for unusual data access — set alerts for bulk user data queries or large API responses from the LMS
7. 7.Coordinate cybersecurity across the UP System — establish shared security standards and threat intelligence across all UP campuses to prevent cascading breaches