On April 8, 2025, Morocco’s National Social Security Fund (CNSS) suffered a significant cyberattack. A hacker group identifying as JabaROOT DZ, reportedly linked to Algeria, claimed responsibility. They leaked sensitive data on Telegram and dark web forums, affecting nearly 2 million individuals and around 500,000 businesses.
Data Exposed
Personal Information: Full names, national ID numbers, contact details, and bank account information.
Employment Details: Salaries, job titles, and social security records.
Company Data: Information from various Moroccan enterprises, including state-owned entities.
See Sources: BiometricUpdate | SecureWeb.ma | AP News
According to Hespress on the 8th of April, the Ministry of Economic Inclusion and Employment claimed that the cyberattack only affected an informational website with no sensitive or professional data. However, this contradicts statements from the Algerian hacker group “Jabroot,” who alleged they accessed and leaked confidential CNSS-related records, including salary declarations.
The conflicting accounts have sparked criticism from trade unions demanding accountability, while the National Commission for the Protection of Personal Data (CNDP) urged affected individuals to submit complaints. The government’s apparent deflection and lack of transparency risk undermining public trust and highlight the urgent need for stronger data security and clearer crisis communication.
Nature of the Attack
The breach appears politically motivated, with JabaROOT DZ citing retaliation for alleged Moroccan cyber activities against Algerian institutions. Notably, no ransom was demanded, suggesting objectives beyond financial gain. cybelangel.com
Government and CNSS Response
CNSS: Acknowledged the breach, stating some leaked documents are “misleading or incomplete.”
CNDP: Morocco’s data protection authority warned against unauthorized use of the leaked data and is investigating the incident. euronews.com
Broader Implications
This incident underscores vulnerabilities in Morocco’s cybersecurity infrastructure, particularly in public sector institutions. Experts highlight the need for:Secureweb
Enhanced Security Measures: Implementing multi-factor authentication, regular system updates, and real-time monitoring.
Public Awareness: Educating citizens on data protection and cyber hygiene.
Policy Reforms: Establishing clear protocols for breach responses and data protection. SecureWeb.com
Expert warned everyone!
On April 3rd, cybersecurity expert Hassan Kherjouj publicly flagged a critical vulnerability on a Moroccan government website tied to the Ministry of Economic Inclusion. He shared a screenshot showing a WordPress database connection error, revealing the exact file path:
/public_html/wp-includes/class-wpdb.php
This file is at the core of how WordPress interacts with databases, a prime target for attacks like SQL injection, backdoor deployment, and remote code execution.
Kherjouj didn’t mince words.
“واخا حتى لينا فهمنا هذا الملف.. انا ما كيمينيش كيفاش عادي يحلو المشكل حيث أصغر tuto في يوتيوب تقدر تشرح ليهم العملية في 10 دقايق.”
“Even we understand what this file does… but I don’t get how they plan to fix it, when even a basic YouTube tutorial explains how to exploit it in under 10 minutes.”
The exposed path, the connection error, and the structure of the hosting (cPanel server, /wp-includes/) suggest misconfigurations at the infrastructure level…. not just app-level negligence.
This wasn’t a random crash. It was a warning. One that, judging by the ongoing leaks, may have come too late.
CNSS Hack: German-Based Engineer Linked to Telegram Leak
New findings suggest the CNSS cyberattack may not have come from Algeria as originally claimed.
The Telegram account that first leaked the stolen data was traced to a user with the alias “3N16M4.”
This alias is linked to Rachid Mzannar, a cybersecurity engineer living in Bochum, Germany.
Despite claims by the group Jabaroot DZ, who framed the breach as part of Morocco-Algeria tensions, evidence now points elsewhere.
Mzannar reportedly has ties to Tunisia and an active background in cybersecurity research and competitions.
The discovery raises questions about the attacker’s true intent, affiliations, and possible misdirection tactics.
You?
For individuals concerned about their data:BiometriUpdate.com
Monitor: Regularly check bank accounts and personal profiles for suspicious activity.
Update: Change passwords and enable multi-factor authentication where possible.
Report: Notify CNSS or relevant authorities of any suspected data misuse. LinkedIn
This breach serves as a critical reminder of the importance of robust cybersecurity measures and the need for collective vigilance in the digital age.
