SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Breach Tracker
Database Leak
HighConfirmed

University of the Philippines Tacloban (UP Tacloban)

A threat actor using the alias 'jamesyu' posted data from UP Tacloban's Learning Management System for sale, exposing over 1,600 student records including names, university emails, degree programs, and profile pictures linked to the official LMS domain.

October 1, 2025Tacloban City, Eastern Visayas1,600+ records affected

Key Facts

Date of Incident
October 1, 2025
Date Discovered
October 1, 2025
Records Affected
1,600+
Source
Deep Web Konek
Data Types Exposed
Full student namesUniversity email addressesDegree programsDepartment affiliationsCity locationsProfile pictures
Response / Action Taken

On 5 September 2025, UP Tacloban issued an official statement. The Office of the Associate Dean for Academic Affairs acknowledged receiving unofficial reports of a possible breach involving the UPTC LMS. The LMS team coordinated with UP Diliman (where the server is hosted) and placed the LMS in maintenance mode as a precautionary measure. Further information was to be shared as necessary, and stakeholders were advised to report irregularities to the LMS Helpdesk.

What Happened

Philippine cybersecurity monitoring group Deep Web Konek (DWK) reported that a threat actor using the alias "jamesyu" claimed to be selling data extracted from the University of the Philippines (UP) Tacloban's Learning Management System (LMS).

The threat actor claimed the dataset contains more than 1,600 rows of student data. Sample data shared as proof showed records from BA Psychology and BA (Social Sciences) Political Science programs, with student locations including Tacloban City and Balangiga. Profile images were linked directly to the official LMS domain (lms.uptacloban.edu.ph), lending credibility to the claim.

On 5 September 2025, UP Tacloban issued an official statement acknowledging the reports. The Office of the Associate Dean for Academic Affairs confirmed receiving unofficial reports of a possible breach involving the LMS. The UPTC LMS team coordinated with the UP Diliman LMS team (where the LMS server is hosted) and placed the LMS in maintenance mode as a precautionary measure. Stakeholders were advised to review account access and report irregularities to the LMS Helpdesk.

Data Exposed

The alleged leak included:

  • Full student names
  • Official university email addresses (@up.edu.ph domain)
  • Degree programs and department affiliations
  • City locations
  • Profile pictures
  • Interest information

Why This Breach Is Concerning

The threat actor specifically noted that the dataset can be leveraged to generate institutional email addresses by following a predictable format. This means attackers could:

  • Create targeted phishing campaigns — using real student names with corresponding @up.edu.ph email addresses to craft highly convincing phishing emails
  • Impersonate students — university email addresses are often used for identity verification with other services (student discounts, software licenses, etc.)
  • Access additional systems — if UP Tacloban uses single sign-on (SSO), compromised LMS credentials could grant access to other university services

This is the second UP campus to be breached in 2025, following the UP Mindanao data breach in August 2025, raising concerns about cybersecurity posture across the UP System's regional campuses.

How This Attack Likely Works

LMS platforms are common targets because they contain structured user databases accessible through web interfaces:

  • LMS vulnerability exploitation — unpatched LMS platforms (Moodle, Canvas, custom systems) often have known vulnerabilities that allow data extraction
  • API abuse — many LMS platforms expose user data through APIs that may lack proper authentication or rate limiting
  • Credential stuffing — using previously leaked credentials to access admin or teacher accounts with user export privileges
  • SQL injection — exploiting input fields in the LMS to query the underlying database directly

How to Prevent This

  1. 1.Keep LMS platforms updated — apply security patches immediately. Subscribe to your LMS vendor's security advisories
  2. 2.Restrict API access — ensure LMS APIs require authentication and implement rate limiting to prevent bulk data extraction
  3. 3.Implement unpredictable email formats — if email addresses follow a predictable pattern (e.g., firstname.lastname@up.edu.ph), consider adding random elements to prevent address generation
  4. 4.Enable MFA on all LMS accounts — particularly for admin and instructor accounts that can export student data
  5. 5.Audit user export permissions — restrict the ability to bulk-export student data to only essential administrative roles
  6. 6.Monitor for unusual data access — set alerts for bulk user data queries or large API responses from the LMS
  7. 7.Coordinate cybersecurity across the UP System — establish shared security standards and threat intelligence across all UP campuses to prevent cascading breaches

Sources & References

All sources are independently verified. Access dates and archive links are recorded for each citation.

  1. [1]
    Deep Web Konek — Alleged LMS data breach exposes students' information from a state university in Eastern Visayas — threat actor 'jamesyu'
  2. [2]
    UP Tacloban Official Statement — Official Statement on the Reported Data Breach of the UP Tacloban LMS, 5 September 2025
  3. [3]
    UP Tacloban Facebook — Official Statement — Facebook post of the official statement on the reported data breach of the UP Tacloban LMS
LMSuniversity emailEastern VisayasDeep Web KonekUP System

Related Incidents

Critical

University of the Philippines Mindanao (UP Mindanao)

August 12, 2025

Critical

Multiple Philippine Schools (LMS Platform Breach)

August 1, 2025

High

A private college in Davao City

March 3, 2026

Know of a Breach?

Help us keep this tracker accurate and complete. Report school data breaches confidentially.

Report a Breach

Is This Entry Inaccurate?

If you represent the named institution or have evidence that corrects or updates this entry, you can request a correction or submit an official statement for publication.

We review all correction requests and respond within 5 business days. Verified corrections are applied promptly. Institutions may also submit a statement that will appear on this page as a right of reply.

Request a Correction

Protect Your School

Use our free tools and guides to assess your school's security posture.

Free Security ToolsGuides & Resources