ADVERTISEMENT
970x220
.navbar-nav.header-menu { width: 100%; justify-content: center; } .tab-menu-outers .nav-item{ width: unset; } .tab-bar-social.mt-5 { margin-top: 0 !important; } .second-header-menu { margin-top: 27px; padding: 12px 0; border-top: 1px solid #C3C1AE; border-bottom: 1px solid #C3C1AE; } .third-header-menu{ padding: 12px 0; } .bottom-header-menu { margin-right: 25px; text-decoration: none; font-family: "Canicule Display v0.3 Trial" , serif; font-weight: 500; font-size: 15px; line-height: 16px; color: black; } .bottom-header-menu:hover { color: #0A58CA !important; } header .time-date-section { display: flex; align-items: end; } header .mb-header-center .align-items-center .col-3 , header .mb-header-center .align-items-center .col-6, header .top-header-container .col-md-6{ z-index: 100; } header .desktop-menu-bar li:hover a{ background: transparent; color: #2E3192 !important; } @media(max-width: 767px) { header.header.mb-header{ display:none; } .second-header-menu .justify-content-center{ justify-content: start !important; } .second-header-menu ul , .third-header-menu ul{ display: grid; grid-template-columns: 1fr 1fr; width: 100%; } }
Manila Bulletin devider devider Civil Service Commission data breach, thousands of user details exposed

Civil Service Commission data breach, thousands of user details exposed

Published Feb 28, 2021 10:32 am  |  Updated Feb 28, 2021 10:32 am

A hacker who calls himself IamNoobie told me that he was so pissed-off with the way government agencies implement security in their websites and servers that he decided to "take matters into his own keyboard".

IamNoobie noticed that the server of the Civil Service Commission (CSC) has promising results when he Google dorked government websites. Google Dorking is just like a simple search but instead of searching for words alone, the attacker could incorporate functions to get results that may show hidden contents or services. If for example, you want to limit your search results to a certain domain, you need to use the operator "site:" without the quotes, and if you just need to see specific file types, use "filetype:" again without the quotes to limit your search. So if for example, you need to see if there are excel files in government websites that could be accessed, input site:gov.ph filetype:xls in the search bar then press enter. Using this simple search function could give you interesting results.

Aside from the multiple vulnerabilities hackers found, the Civil Service Commission website is also using an expired SSL certificate that exposes users to the dangers of phishing and other hacking attacks.

Using passive scanning IamNoobie found out a bigger problem, the server is vulnerable to multiple vulnerabilities that could allow hackers to take over the server. Passive scanning is a method used to detect vulnerabilities, it relies on information from network data that is captured from the target machine without interacting directly with it. He then exploited the vulnerabilities and was able to get inside the server where he found copies of passports, company IDs, official receipts, and personal user information.

IamNoobie also said other hackers are exploiting the server of the Civil Service Commission of the Philippines. Many, according to him, have installed backdoors, a method used by hackers to bypass regular authentication in a computer system to make it easier to access and control anytime. When he saw other groups downloading data, he then decided to disconnect them one by one and started to secure the server of the CSC. He might be too late though as a complete list of more than 52 thousand users is now available online, posted by another group of hackers. The multiple vulnerabilities are now confirmed as a data breach.

Others who also contacted us about this said one good thing that they noticed is the strict password policy where users follow the best practices in setting up passwords. The admin however is using, according to them, a three-character all-small letter password that could be cracked in less than a second. This kind of security sums up the country's approach to cybersecurity where users and even companies were asked to strictly follow cybersecurity rules or else face sanctions and penalties, yet government agencies holding user data are using inferior or non-existent security measures. In the words of IamNoobie, the Civil Service Commission server is like a locked car but all windows are open.

As of this posting, the server of the Civil Service Commission of the Philippines is relatively safe. Vulnerabilities have been patched, backdoors closed and hackers were booted out from the server, all except one, the one who calls himself IamNoobie.

ADVERTISEMENT
300x250
.most-popular .layout-ratio{ padding-bottom: 79.13%; } @media (min-width: 768px) and (max-width: 1024px) { .widget-title { font-size: 15px !important; } }

{{ articles_filter_1561_widget.title }}

{{ item.title }}
.most-popular .layout-ratio{ padding-bottom: 79.13%; } @media (min-width: 768px) and (max-width: 1024px) { .widget-title { font-size: 15px !important; } }

{{ articles_filter_1562_widget.title }}

{{ item.title }}
.most-popular .layout-ratio{ padding-bottom: 79.13%; } @media (min-width: 768px) and (max-width: 1024px) { .widget-title { font-size: 15px !important; } }

{{ articles_filter_1563_widget.title }}

{{ item.title }}

{{ articles_filter_1564_widget.title }}

{{ item.title }}
.mb-article-details { position: relative; } .mb-article-details .article-body-preview, .mb-article-details .article-body-summary{ font-size: 17px; line-height: 30px; font-family: "Libre Caslon Text", serif; color: #000; } .mb-article-details .article-body-preview iframe , .mb-article-details .article-body-summary iframe{ width: 100%; margin: auto; } .read-more-background { background: linear-gradient(180deg, color(display-p3 1.000 1.000 1.000 / 0) 13.75%, color(display-p3 1.000 1.000 1.000 / 0.8) 30.79%, color(display-p3 1.000 1.000 1.000) 72.5%); position: absolute; height: 200px; width: 100%; bottom: 0; display: flex; justify-content: center; align-items: center; padding: 0 72px 0 12px; } .read-more-background a{ color: #000; } .read-more-btn { padding: 17px 45px; font-family: Inter; font-weight: 700; font-size: 18px; line-height: 16px; text-align: center; vertical-align: middle; border: 1px solid black; background-color: white; } .hidden { display: none; }
function showArticleBody(button) { const article = button.closest("article"); const summary = article.querySelector(".article-body-summary"); const body = article.querySelector(".article-body-preview"); const readMoreSection = article.querySelector(".read-more-background"); // Hide summary and read-more section summary.style.display = "none"; readMoreSection.style.display = "none"; // Show the full article body body.classList.remove("hidden"); } document.addEventListener("DOMContentLoaded", () => { let loadCount = 0; // Track how many times articles are loaded const offset = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]; // The two offset values // changed to 10 from 1 , 2 const currentUrl = window.location.pathname.substring(1); let isLoading = false; // Prevent multiple calls if (!currentUrl) { console.log("Current URL is invalid."); return; } function isNearBottom() { return window.innerHeight + window.scrollY >= document.documentElement.scrollHeight - 100; } function onScroll() { if (isLoading) return; // Skip if already loading if (isNearBottom()) { if (loadCount >= offset.length) { console.log("Maximum load attempts reached."); window.removeEventListener("scroll", onScroll); return; } isLoading = true; // Set flag to prevent multiple calls const currentOffset = offset[loadCount]; window.loadMoreItems().then(() => { loadCount++; // Increment only after successful execution }).catch(error => { console.error("Error loading more items:", error); }).finally(() => { isLoading = false; // Reset flag after execution }); } } window.addEventListener("scroll", onScroll); }); // Mutation Observer for Newly Loaded Articles const observer = new MutationObserver(() => { const articles = document.querySelectorAll(".articles-observe"); if (articles.length > 0) { observeArticles(articles); } }); observer.observe(document.body, { childList: true, subtree: true }); // Intersection Observer for Updating URL function observeArticles(articles) { const intersectionObserver = new IntersectionObserver( (entries) => { entries.forEach((entry) => { if (entry.isIntersecting) { const newUrl = entry.target.getAttribute("data-url"); if (newUrl) { history.pushState(null, null, newUrl); } } }); }, { threshold: 0.1 } ); articles.forEach(article => intersectionObserver.observe(article)); }
.col-md-12.noPadding.col-xs-12:has(.mb-header-bottom) {padding: 0;} .bottom-footer {color: #fff;background-color: #2E3192;padding: 8px 0;} .bottom-footer .bottom-footer-menu {font-family: Inter;font-weight: 400;font-size: 12px;line-height: 16px;padding: 0px 10px !important;color: #fff !important;text-decoration: none; } .bottom-footer .container {display: flex;justify-content: space-between;align-items: center; } .bottom-footer p{font-family: "Inter";font-weight: 400;font-size: 12px;line-height: 16px;margin-bottom: 0;} .subscribe-button{position: absolute;bottom: 15%;right: 11%;} .subscribe-container {position: fixed;display: flex;align-items: center;background-color: white;height: 50px;border-radius: 50px;box-shadow: 1px 3px 8px 3px rgba(0, 0, 0, 0.2);width: 50px;overflow: hidden;transition: width 0.3s ease-in-out;text-decoration: none;white-space: nowrap; } .subscribe-icon {background-color: #2E3192;color: white;border-radius: 50%;width: 50px;height: 50px;display: flex;align-items: center;justify-content: center;font-size: 18px;flex-shrink: 0;transition: border-radius 0.3s ease-in-out; } .subscribe-text {font-size: 18px;font-weight: bold;color: black;margin-left: 0;margin-right: 0;width: 0;visibility: hidden;opacity: 0;transition: opacity 0.3s ease, width 0.3s ease;} .subscribe-container:hover {cursor: pointer;width: 170px;} .subscribe-container:hover .subscribe-icon {border-bottom-right-radius: 0;border-top-right-radius: 0;} .subscribe-container:hover .subscribe-text {visibility: visible;opacity: 1;margin-left: 10px;margin-right: 10px;width: auto;} h6.footer-heading{ font-weight: 700; } #bottom-footer ul li { display: flex; align-items: center; } @media screen and (min-width: 767px) and (max-width: 991px) { .bottom-footer p, .bottom-footer .bottom-footer-menu{ font-size: 9px; } } @media(max-width: 767px) { .bottom-footer .container {display: block;} .bottom-footer .container .justify-content-center{margin-top: 20px !important;} .bottom-footer .container .justify-content-center .list-group{ width: 100%; display: grid; row-gap: 10px; grid-template-columns: 1fr 1fr 1fr; justify-content: unset; } .bottom-footer p{font-size: 10px;} .subscribe-container { width: 50px !important; overflow: hidden;} .subscribe-container:hover { width: 50px !important;} .subscribe-container .subscribe-text {display: none !important;} .subscribe-button{right: 15%;bottom:7%;} } .mb-header-bottom .header-menu:hover { color: #2E3192 !important; } @media(max-width: 400px) { .bottom-footer .container .justify-content-center .list-group{ grid-template-columns: 1fr 1fr; } }
Join Our Newsletters

Sign up by email to receive news.

© 2025 Manila Bulletin The Nation's Leading Newspaper. All Rights Reserved.