Over 1 Million DepEd-Linked Accounts Found in Recent Breach Monitoring
More than a million accounts linked to the Department of Education have been identified in recent breach intelligence scans, with exposures traced to both new and historical leaks from dark web marketplaces, closed forums, and breach repositories. Some of these accounts date back to late 2023, while others appeared in aggregated dumps uploaded only weeks ago, proof that old data can remain a live threat for years.
https://iili.io/FQMhk6G.png
According to the Deep Web Konek (DWK) Breach Monitoring Team led by Elizze Serna, the compromised accounts fall into three categories: Employees (111,952 accounts), Third Parties (613,105 accounts), and Customers (293,768 accounts). DWK classifies these based on matching patterns between email domains and the domains of the breached websites.
Employee accounts, where both website and email domains match deped.gov.ph often belong to teaching staff, administrators, and IT personnel. Of these, 15.5% use weak or very weak passwords. Many were exposed through third-party platforms such as online training portals and HR systems, with leaks dating from mid-2024 back to 2023.
Third-party accounts, where the email matches deped.gov.ph but the website does not make up the largest share, at over 613,000 exposures. These belong to contractors, vendors, and partner organizations who used DepEd-issued emails on external services. Many appeared in massive dumps that surfaced in late 2024, though some trace back to 2023 vendor breaches which underscores ongoing supply-chain vulnerabilities.
Customer accounts, where the website matches deped.gov.ph but the email domain does not represent parents, students, and other public users of DepEd platforms. Nearly 23% use weak or very weak passwords. These often appear in infostealer logs or data harvested by malware that extracts saved passwords and cookies with some infections occurring in the past six months and others from older campaigns resold in 2024.
DWK notes that password strength offers little protection if credentials have already been stolen. Infostealers bypass brute-force cracking entirely by stealing logins and session cookies directly from devices, making even long, complex passwords useless once exfiltrated.
The monitoring process involves aggregating leaked credentials from multiple sources, deduplicating them, and categorizing them for risk assessment. Many accounts may still be active if owners never changed their passwords after the breach. Even older leaks from 2022–2023 remain a threat due to password reuse and the absence of multi-factor authentication (MFA).
DWK recommends that DepEd and its partners enforce password resets, enable MFA on all accounts, scan endpoints for infostealers, and review security compliance among vendors. Individuals, whether employees, contractors, or public portal users should immediately change passwords and avoid reusing them across services.
In the underground market, data has a long shelf life. A breach from two years ago can still open doors today, and without proactive monitoring and remediation, those doors may stay open indefinitely.
