How to Check If Your School's Data Is on the Dark Web

Who This Guide Is For

If your school appears in the news, in an NPC advisory, or in someone's warning — or if you simply want to be proactive — this guide walks you through every step to find out whether your school's data is circulating outside your systems.

You don't need to be a cybersecurity expert. You need to be careful, methodical, and willing to act on what you find.

Step 1: Start Here — Check SchoolBreach.org

The fastest first step is to search SchoolBreach.org directly.

Use the search bar on the homepage and type your school name (or abbreviation — "DLSU", "DepEd Laguna", "UP Cebu" all work). If your institution appears here, you'll see the incident date, severity, records affected, and a link to the full report.

What the results mean:

• Found: Your school has a documented breach. Read the full report for details on what data was exposed, when, and what response was taken.
• Not found: No documented public breach — but this doesn't mean you're safe. The absence of a listing means no breach has been publicly confirmed, not that no breach has occurred.

Step 2: Check Have I Been Pwned (HIBP)

Have I Been Pwned (haveibeenpwned.com) is the world's most widely used breach notification service. It aggregates data from thousands of known breach databases.

Check a specific email address

Go to haveibeenpwned.com and enter any school email address (yours, or a shared admin account like [email protected]). HIBP will tell you if that address appears in any known breach.

Check your entire domain (recommended for admins)

HIBP offers a Domain Search that checks all email addresses under your school's domain at once.

1. 1Go to haveibeenpwned.com/DomainSearch
2. 2Enter your school's email domain (e.g., yourschool.edu.ph)
3. 3HIBP will send a verification email to an address on that domain (postmaster@, webmaster@, or admin@)
4. 4Once verified, you'll see a report of all compromised addresses under your domain

What the results mean:

• A "pwned" result means that email address appeared in a breach database that HIBP has indexed. It doesn't necessarily mean your school's own systems were breached — it could be a third-party service your staff used.
• Focus on results showing credential data (username + password) — these are the most actionable.

Step 3: Check Breach Intelligence Databases

Several services aggregate breach data from cybercriminal forums, paste sites, and data dumps. These can surface breaches that haven't been widely reported yet.

Free options

IntelX (intelligence.cx):

A search engine for leaked data. The free tier lets you search by email domain or keyword. Search for your school's name, email domain, and common staff email patterns.

DeHashed (dehashed.com):

Aggregates breach data and allows domain-level searches. Free searches are limited; paid tiers provide full results. Useful for checking if school credentials have appeared in breach compilations.

Important: These tools show you that data exists — not what's in it. Their purpose here is detection, not access. Never attempt to download or access leaked data files.

Step 4: Search Google for Publicly Indexed Leaks

Some leaked data ends up on paste sites (Pastebin, Ghostbin) or file-sharing services and gets indexed by Google. These searches help find publicly accessible leaks:

Search 1 — Paste sites:

Search: site:pastebin.com "yourschool.edu.ph"

Search 2 — SQL dump files:

Search: "yourschool.edu.ph" filetype:sql

Search 3 — School name in breach context:

Search: "[Your School Name]" data breach leaked

What finding results means:

Finding results doesn't mean your school was specifically targeted — some paste sites host scraped data from many sources. But finding your school's email addresses or student records in a paste is a significant signal worth investigating.

Step 5: What NOT to Do

Regardless of what you find, do not:

• Visit dark web links. Darknet marketplaces and forums require Tor and are dangerous territory for non-experts. Nothing you need is there that you can't find through legitimate sources.
• Try to access or download leaked files. Even viewing leaked data can have legal implications. Your job is to detect and respond, not to retrieve.
• Contact threat actors. Do not attempt to reach the people who claim to hold your data. This escalates the situation and can invite further attacks.
• Panic or delay. A confirmed breach has legal reporting timelines. The 72-hour NPC notification requirement starts from when you have reasonable grounds to believe a breach occurred — not when you've confirmed every detail.

Step 6: If You Find Something

Immediate steps

1. 1Document what you found. Screenshot the evidence, note the URL, date, and what data appears to be included.
2. 2Assess the scope. Is it one email? A database? Old data from a discontinued system? This affects your response.
3. 3Convene your Data Protection Officer (DPO). If your school has an appointed DPO, loop them in immediately.

NPC reporting obligation

Under the Data Privacy Act (RA 10173), if a breach involves sensitive personal information of 1,000 or more individuals, your school must notify the National Privacy Commission within 72 hours of discovering the breach.

Report at: privacy.gov.ph

Read the full response guide: What To Do When Your School Gets Breached

Step 7: Prevention Going Forward

Finding no current breach is good — but staying clean requires ongoing effort.

Run the free Site Scanner

The Site Scanner checks your school's public website for security headers, privacy compliance, and common vulnerabilities. Run it regularly (monthly is a good cadence).

Check your email security

Use the Email Security Checklist to verify your school's SPF, DKIM, and DMARC configuration. Email is the most common entry point for credential theft.

Use Have I Been Pwned alerts

Once you've verified your domain on HIBP, you can set up domain monitoring to receive email notifications if new breaches involving your domain are discovered. This is free and automatic.

Complete the security checklist

The School Cybersecurity Checklist covers the 10 most impactful security controls for Philippine schools — most of which are free or low-cost to implement.

Summary: Your Checklist

1. 1Search SchoolBreach.org for your school name and common abbreviations
2. 2Check your email domain on Have I Been Pwned (free domain monitoring available)
3. 3Search IntelX and/or DeHashed for your email domain and school name
4. 4Run Google searches for paste site leaks
5. 5If you find something: document it, notify your DPO, assess the 72-hour NPC reporting threshold
6. 6If you find nothing: run the Site Scanner and set up HIBP domain monitoring for ongoing detection

Related Resources

• What To Do When Your School Gets Breached — NPC reporting, communications, and recovery
• Site Scanner — Free surface-level security check for your school website
• Email Security Checklist — SPF, DKIM, DMARC setup guide
• School Cybersecurity Checklist — 10-point security checklist