A critical access control vulnerability in Morocco’s national education platform, Massar (massar.men.gov.ma), has been weaponized and is now being sold on the dark web. A threat actor operating under the name ForzaMilan posted the listing, offering full access to highly sensitive educational records and government communication data.
The attacker claims the exploit allows full read and delete access to the platform’s backend, without the need for advanced technical skills. The breach reportedly affects over 6 million personal records, including names, ID codes, facial images, places of origin, student and parent details, and physical addresses.
Additionally, the attacker states the dump includes more than 23,000 confidential support tickets, which are communications between teachers and Moroccan government officials. These tickets reportedly contain operational insights and troubleshooting logs that may expose backend systems and processes.
The data size is said to exceed 1 terabyte, and the price for full access has been listed at $2,000. ForzaMilan has also provided a Telegram handle for interested buyers, suggesting this exploit may already be circulating in underground threat groups.
This is a serious national security concern—not just from a data privacy perspective, but also because it affects students, teachers, parents, and government operations. Educational platforms are increasingly becoming high-value targets, and this incident places Morocco’s entire digital education infrastructure at risk.
Authorities need to act quickly to confirm the breach, secure affected systems, notify impacted individuals, and conduct a full forensic review. Any delay in response could result in data misuse, identity theft, or long-term disruptions to the education sector.