Brinztech Alert: Customer and Admin Credentials of Morocco’s Evap.ma Leaked

Dark Web News Analysis: Database of Moroccan E-Cigarette Vendor Evap.ma Leaked

A database containing customer login credentials from evap.ma, a Moroccan e-cigarette vendor, has been leaked on a hacker forum. The threat actor also claims to have accessed and exposed the website’s administrator login information, signaling a total system compromise. The leak contains a sample of 100 customer records. Critically, the attacker boasts that the “encrypted” passwords “still work,” suggesting a fundamental failure in the website’s security. The exposed data includes:

• Customer Credentials (100 Records): Full names, usernames, email addresses, and passwords.
• Administrator Credentials: The attacker claims to have accessed and initially exposed the site’s main administrator login information.

Key Cybersecurity Insights

The exposure of administrator credentials and weakly protected user passwords is a catastrophic security failure for any e-commerce platform.

• Claim of Exposed Admin Credentials Signals a “Keys to the Kingdom” Breach: The attacker’s claim to have the administrator password, even if they later hid it from the public post, is a critical event. It means they likely had—or still have—complete control over the website’s backend. They could have stolen the entire customer database (not just the 100 samples), altered site content, processed fraudulent orders, or installed persistent backdoors.
• “Working” Encrypted Passwords Indicate Critical Security Failure: The attacker’s boast that the encrypted passwords are still functional strongly implies that a weak, outdated, or broken encryption/hashing algorithm (like MD5) was used to store them. For all practical purposes, these passwords must be considered compromised and exposed as plaintext, a grossly negligent security practice.
• Leaked Credentials Create Immediate Risk of Credential Stuffing: The exposed list of emails and easily cracked passwords will be immediately used by other criminals. They will run this list through automated “credential stuffing” tools to attack other, more valuable websites where the 100 victims may have reused their passwords, such as email, social media, or banking platforms.

Critical Mitigation Strategies

Evap.ma must assume a total compromise of its platform, and its customers must act immediately to protect their other online accounts.

• For Evap.ma: Assume Total Compromise and Launch a Full Security Overhaul: Given the administrator credential exposure, the company must assume total compromise of its live website. This requires taking the site offline for a full forensic investigation and security audit, rebuilding from a known secure state, and, critically, implementing a modern, salted password hashing algorithm (e.g., Argon2 or bcrypt) before returning to service.
• For Evap.ma: Mandate a Universal Password Reset: The company must force a password reset for all of its users, not just the 100 in the sample, as the full database was likely stolen. Implementing Multi-Factor Authentication (MFA) upon relaunch is essential for enhancing future security.
• For Affected Customers: Change All Reused Passwords Immediately: This is the most crucial advice for the victims. The individuals in the leak (and all other customers as a precaution) must change their password on the evap.ma site and, more importantly, on every other online account where they reused that same password.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. For general inquiries or to report this post, please email us: contact@brinztech.com