Morocco Confirms Data Leak Affecting 100,000 Users of MyWay Platform

Morocco’s vocational training office just confirmed a data leak. It affects about 100,000 users of its MyWay career platform.

A single compromised account lets a hacker walk away with a lot of personal information. Thankfully, no system breach happened.

Account Misuse Exposed Thousands of Users’ Data

OFPPT’s main computer systems are still secure. The agency stated this clearly on April 14, two days after first spotting trouble.

So what actually happened? The leak appears tied to the misuse of one identified account. Someone may have used a legitimate MyWay user’s login information, possibly in a phishing operation or an employee left their password visible. And that gained them access to some parts of the MyWay platform.

This type of credential-based breach is exactly how the Starbucks data breach exposed personal data of 889 employees, hackers used phishing tactics to trick workers into handing over their login details, demonstrating that even major corporations are vulnerable to social engineering attacks that target employees rather than system vulnerabilities.

The stolen data ended up on the dark web as a 19-megabyte CSV file. A threat actor going by the pseudonym “anisanas2” even listed the database for sale. As proof, the hacker released a free sample of those 100,000 records.

What Data Leaked

The leaked information comes from what users voluntarily gave during registration. This includes full names, personal phone numbers, email addresses, and national identity card details.

But here is where it gets more sensitive. The data also covers enrollment details, academic tracks, and highly specific fields of study. These include IT, mechanics, tourism, construction, and electricity. The leak even includes diploma levels and administrative records tied to over 500 vocational training centers across the country.

Now for a crucial distinction. About 70% of the 100,000 records fall under the category of “leads.” These are potential clients who only expressed interest in guidance services. Some may have provided incorrect or incomplete data from the start. The OFPPT also noted that the breach didn’t affect any official documents or supporting files.

What Was Not Affected

The agency wants everyone to know this breach had limits. It only hit specific functions within MyWay, namely account creation and vocational interest assessments.

The leak did not touch other parts of the system. Training pathways and trainee results remain completely safe. The OFPPT stressed that there is no evidence that someone broke into its overall information system.

The Investigation and Fallout

The situation is now contained. The OFPPT information systems department is conducting a thorough examination with regards to the breach. Also, they’re collaborating with appropriate authorities and third party IT security specialists to ascertain how this intrusion happened.

The recent breach has elicited strong reactions from the Moroccan media. Both experts and users have been quick to reference last year’s attack on the National Social Security Fund (CNSS), which resulted in nearly 2 million individual workers and over 500 thousand businesses losing their private data, as well as the security risks that accompany the state’s infrastructure.

As digital transformation outpaces security systems, the OFPPT case confirms a troubling trend. Moroccan institutions digitizing services from social security to education are struggling to patch security holes in time.

The agency promised to tighten up its system. It kicked off an emergency plan in February 2026. The initiative included bringing in outside experts and rolling out Data Loss Prevention tools. However, the setup isn’t fully operational yet. 

But thousands of people are already at risk. So, the agency promised to contact everyone so they can be alert in case scammers send suspicious messages to defraud them.