Morocco CNSS social security data leak

On 8 April 2025, an actor using the alias Jabaroot published a vast trove of data stolen from Morocco's Caisse Nationale de Sécurité Sociale (CNSS) — the public agency that administers mandatory social-security coverage for the country's private sector. Security researchers described it as likely the largest breach by number of victims in Moroccan history.

What happened

The leak comprised over 53,000 PDF files and two large CSV databases posted on BreachForums, a dark-web cybercrime forum. The CSV records covered nearly 500,000 companies and approximately 2 million employees (precisely 1,996,026 records). Exposed fields included full names, national ID numbers, passport details, email addresses, phone numbers, salary information, and banking credentials, alongside enterprise documents such as affiliate numbers and administrator details.

The dataset reached deep into the Moroccan state: affected entities reportedly included the Ministry of Economy and Finance, the Ministry of Health, the Moroccan Pension Fund, the General Treasury of the Kingdom, and the investment-promotion agency. The compressed archive was timestamped 29 November 2024, indicating the exfiltration occurred months before publication.

Attribution and motive

Jabaroot framed the attack as politically motivated retaliation — specifically a response to a prior compromise of the Algerian Press Service (APS) Twitter account attributed to Moroccan-aligned actors, set against the long-running geopolitical tensions over Western Sahara. Analysts variously described Jabaroot as Algeria-linked, as a loosely affiliated North African collective, or — via OSINT username pivots — as a single engineer. The actor never sought ransom or sold the data, behaviour consistent with hacktivism rather than financial crime. Resecurity confirmed the leaked data was genuine.

Response and impact

The CNSS publicly disputed the authenticity of some circulating files, calling them "often false, inaccurate or truncated," while Morocco's CNDP data-protection authority warned citizens against misuse of their exposed information. Critics noted a slow governmental response and limited legal or regulatory follow-through. In September 2025, the CNSS finally launched an international tender worth MAD 40 million (~$4 million) to rebuild its cybersecurity posture.

Why it matters

The CNSS leak exposed the fragility of centralised public-sector identity systems in the region and showed how a geopolitical grievance can translate into a mass civilian data breach. It became the opening salvo of a broader Jabaroot campaign against Moroccan institutions — followed weeks later by the ANCFCC land-registry leak — and a case study in how hacktivist data dumps, even without monetisation, can inflict lasting identity-theft and fraud risk on an entire national workforce.

Timeline

November 29, 2024

The compressed archive later published by the attacker is timestamped, suggesting the underlying data was exfiltrated on or before this date.

April 8, 2025

An actor using the alias Jabaroot posts the CNSS dataset on BreachForums and opens a Telegram channel that quickly draws over 8,000 subscribers.

April 9, 2025

Moroccan authorities and the CNSS publicly acknowledge the leak; the CNSS claims many circulating documents are 'false, inaccurate or truncated.'

April 10, 2025

Morocco's data-protection authority (CNDP) warns citizens against unauthorised use of the exposed personal data.

June 2, 2025

Jabaroot strikes again, leaking data from Morocco's national land registry (ANCFCC), confirming a sustained campaign against Moroccan institutions.

September 9, 2025

The CNSS launches an international tender worth MAD 40 million (~$4 million) to overhaul its cybersecurity infrastructure.

Sources

resecurity.comhttps://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach

securityaffairs.comhttps://securityaffairs.com/176388/security/national-social-security-fund-of-morocco-suffers-data-breach.html

cybelangel.comhttps://cybelangel.com/blog/our-investigation-of-the-cnss-data-leak-flash-report/

biometricupdate.comhttps://www.biometricupdate.com/202504/sensitive-pii-of-millions-leaked-in-historic-moroccan-data-breach

moroccoworldnews.comhttps://www.moroccoworldnews.com/2025/09/258923/after-jabaroot-data-leaks-cnss-allocates-4-million-for-cybersecurity/

Related incidents

Data breachinvestigatingJune 2, 2025

Morocco ANCFCC land registry data leak

Weeks after the CNSS breach, the hacktivist Jabaroot leaked roughly 4 terabytes of data — millions of property certificates, title deeds, ID cards, passports, and banking documents — from Morocco's national land conservation agency ANCFCC.

Victim: Agence Nationale de la Conservation Foncière, du Cadastre et de la Cartographie (ANCFCC)
Records: 4.0M

Data breachUnknownDecember 28, 2025

Leak at the French Ministry of Agriculture and Food

In late December 2025, the LAPSUS$ Group claimed a breach of France's Ministry of Agriculture and Food, leaking roughly 60 GB (97,210 files) of FTP credentials, SQL databases and system logs spanning 32 departments and 19 business applications.

Victim: French Ministry of Agriculture and Food

Data breachUnknownDecember 22, 2025

Leak at justice.fr

On 22 December 2025 a database attributed to the French justice system (justice.fr) recirculated online, exposing personal, professional and banking data — including IBAN/BIC — of 1,100+ magistrates, judges, lawyers and judicial staff.

Victim: justice.fr

Data breachContainedDecember 19, 2025

Leak at the French Ministry of Sports

On 19 December 2025 France's Ministry of Sports confirmed a breach of a system tied to the Pass'Sport aid scheme, exposing data on about 3.5 million households — names, dates of birth, contact details, social security, INE and CAF numbers — published on a criminal forum.

Victim: French Ministry of Sports