A threat actor operating under the alias Jabaroot has claimed responsibility for leaking more than 695,000 records allegedly exfiltrated from Morocco's Watiqa.ma civil records portal. The claim, surfaced by Dark Web Informer and reported by Morocco World News, was disclosed alongside a separate confirmed breach at Carnival Corporation that exposed personal data belonging to nearly 6 million customers. Together, the two incidents underscore the continued targeting of identity-rich datasets by financially and ideologically motivated actors.
What Happened
Jabaroot, a threat actor previously linked to multiple incidents involving Moroccan citizen data, claimed to have exfiltrated and leaked records from the Watiqa.ma platform, a public service used by Moroccan citizens to request administrative documents online, including birth certificates and other civil records. The claim has not yet been officially confirmed by Moroccan authorities or the platform's administration, but the threat actor's previous track record involving leaks of Moroccan citizen data lends weight to the disclosure.
In a separate but contemporaneously disclosed incident, cruise operator Carnival Corporation confirmed that 5,995,277 individuals had their personal data stolen following a social engineering attack first detected on April 14, 2026. Unauthorized actors compromised an employee account and exfiltrated files from corporate systems. The ShinyHunters extortion group later claimed responsibility and published the stolen dataset in late April. Have I Been Pwned's analysis of the leaked archive found 8.7 million records and 7.5 million unique email addresses tied to the Mariner Society loyalty program operated by Holland America Line, a Carnival-owned brand.
What Was Taken
The alleged Watiqa.ma dataset, comprising more than 695,000 records, reportedly includes:
- Full identity details of Moroccan citizens
- Mother's and father's names
- Birth certificate numbers
The Carnival breach exposed a broader and more commercially valuable dataset covering nearly 6 million confirmed individuals (and up to 8.7 million unique records per third-party analysis), including:
- Full names
- Postal addresses
- Email addresses
- Phone numbers
- Dates of birth
- Government-issued identification numbers, including driver's license and passport numbers
- Gender, geographic location, and loyalty program status (from the Mariner Society subset)
Why It Matters
Civil registry data is among the most damaging categories of personal information that can be exposed. Unlike passwords or payment cards, birth certificate numbers and parental lineage cannot be rotated or reissued, making victims permanently vulnerable to identity fraud, synthetic identity creation, and targeted social engineering across financial, governmental, and immigration contexts. For Morocco specifically, repeated targeting by Jabaroot suggests a sustained campaign against national identity infrastructure rather than an opportunistic intrusion.
The simultaneous Carnival disclosure highlights a parallel risk vector: ShinyHunters continues to monetize stolen identity data at scale, and government-issued ID numbers combined with full PII enable downstream account takeover, KYC bypass, and travel document fraud. Defenders treating these as isolated events miss the broader picture, since the data from both incidents can be cross-referenced and combined with prior breaches to enrich attacker profiles of the same victims.
The Attack Technique
Technical details surrounding the Watiqa.ma intrusion have not been disclosed by Jabaroot or by Moroccan authorities. Given the actor's history of targeting Moroccan public sector platforms, recurring weaknesses in administrative portal authentication, access control, or third-party integrations are plausible vectors.
The Carnival breach is better understood. The intrusion began with a social engineering attack that successfully compromised an employee account. Once authenticated, the threat actor pivoted into corporate systems and exfiltrated files containing personal information before detection on April 14, 2026. The pattern is consistent with ShinyHunters' documented tradecraft of targeting helpdesk, SSO, and SaaS-integrated identity workflows to bypass perimeter controls without deploying malware.
What Organizations Should Do
- Harden identity workflows against social engineering. Require phishing-resistant MFA (FIDO2/WebAuthn) for all employee accounts, particularly those with access to customer or citizen data. Restrict helpdesk-driven credential and MFA resets with out-of-band verification.
- Segment access to bulk PII repositories. Civil registry and loyalty program datasets should sit behind just-in-time access, with bulk-export operations triggering automatic alerts and approval workflows.
- Monitor for ShinyHunters and Jabaroot leak announcements. Track underground forums and Telegram channels where these actors publish samples, and ingest indicators into threat-intel platforms to identify exposed third-party data quickly.
- Audit third-party administrative portals. Government and public service platforms exposing civil records should undergo external authentication reviews, API rate limiting, and credential stuffing protections.
- Notify and protect affected individuals. Where exposure is confirmed, offer identity monitoring, credential reset guidance, and warn customers about targeted phishing referencing the leaked data fields.
- Tabletop the cross-breach scenario. Plan response for incidents where attackers combine your data with prior leaks (Carnival + Watiqa.ma style enrichment), since regulator and customer expectations now extend beyond the single-event view.
Sources: Morocco Civil Records Data Leak and Carnival Data Breach Affect Millions