According to hacker's statement, he compromised the data by exploiting the SQL Injection vulnerability in the Navy's "BRP Alcaraz blog" page (navy.mil.ph/alcaraz).
However, we are not able to access the given link at the time of writing. It appears the admin has taken down the link. The news was first reported by local hacking news site PinoyHackNews.
In a pastebin post(pastebin.com/5xhP6zft), hackers leaked the login credentials compromised from the database. It includes the Admin login credentials. What's worse is that they are using very weak username and password.
They have used the "userpassword" as password. Even if there is no bug, hacker could have guessed the password or get the password by brute-forcing. It is sad to know that the Navy website itself has poor security and weak passwords.