Morocco's Office of Vocational Training and Employment Promotion (OFPPT), the country's largest public technical training institution, confirmed a major data breach on April 14, 2026, after a threat actor using the alias "anisanas2" listed a database of over 400,000 student records for sale on the dark web. The leak, traced to the MyWay career guidance platform, exposes current trainees and graduates across more than 500 vocational centers nationwide.
What Happened
Initial indicators of compromise surfaced on April 12, 2026, when threat monitoring platforms Dark Web Intelligence and VECERT Analyzer flagged a dark web listing offering the full OFPPT database. To validate the claim, the actor published a free sample of 100,000 records, pressuring OFPPT into official confirmation two days later. Approximately 70% of the sample consists of "leads," individuals who had expressed interest in training programs but had not yet fully enrolled, suggesting the compromised system stored both prospective and active user data.
What Was Taken
The exposed dataset is highly sensitive and ideally structured for identity-based fraud. Confirmed categories include:
- Full names
- Personal phone numbers
- Email addresses
- Enrollment details
- Academic tracks and specific fields of study (IT, mechanics, tourism, construction, electricity)
- Diploma levels
- Administrative records tied to over 500 vocational training centers
The combination of verified contact information with program-level metadata gives attackers the context needed to craft convincing, targeted lures against a young and professionally aspirational demographic.
Why It Matters
OFPPT is a strategic national institution, and a breach of this scale represents both a privacy failure and a population-level targeting opportunity. The victim base skews toward students and early-career workers, a demographic historically susceptible to employment-themed phishing, SIM-swap fraud, and financial scams. With granular academic data in hand, adversaries can impersonate OFPPT itself, craft fake job offers aligned to each victim's specialization, or pivot into account takeovers against Moroccan telecom and banking services. For regional defenders, this incident also signals growing attacker interest in North African education sector infrastructure.
The Attack Technique
According to reporting from Morocco World News and Maroc Diplomatique, the leak originated from the MyWay platform, a digital tool OFPPT deploys for student career guidance. While OFPPT has not disclosed the technical root cause, the actor's ability to exfiltrate a structured dataset including both enrolled trainees and unconverted leads is consistent with an application-layer compromise, such as an exposed API endpoint, broken access control, or credential compromise on an administrative account. The clean categorization of the leaked data mirrors what would be produced by a direct database dump rather than piecemeal scraping.
What Organizations Should Do
- Audit all student-facing and CRM-style platforms for authentication gaps, exposed APIs, and insecure direct object references, particularly in systems serving lead capture alongside enrolled users.
- Apply strict segmentation between marketing/lead databases and active user records to limit blast radius of any single compromise.
- Deploy dark web monitoring for institutional domains, student email patterns, and project codenames to detect listings earlier than third-party researchers.
- Prepare and rehearse public breach communications, including student-facing phishing warnings, given the high likelihood of follow-on spear-phishing and SIM-swap attempts.
- Coordinate with national telecom providers to flag SIM-swap requests against numbers tied to the affected population.
- Require MFA on all administrative backends of student information systems and rotate long-lived service credentials.
Sources: Morocco Data Leak: 400K Student Records Exposed in OFPPT Cyber Incident