French govt messaging service breached in account hijacking attack
DINUM, the digital affairs directorate of the French government, warned that hackers used a hijacked user account to breach Tchap, the French government's encrypted messaging platform.
Developed in-house by DINUM in collaboration with ANSSI (the French Cybersecurity Agency) in 2018, Tchap is an instant messaging service and collaboration tool based on the decentralized Matrix protocol, designed exclusively for the French public sector.
Tchap has now reached over 300,000 monthly users and over 500,000 downloads on Google's Play Store after Prime Minister François Bayrou mandated the use of Tchap and banned foreign apps for work communications for all civil servants in early August 2025.
DINUM revealed on Monday that ANSSI detected a Tchap breach on Sunday and said that a threat actor gained access to the secure instant messaging platform using a compromised user account.
The French digital affairs directorate has also alerted France's data protection authority, the CNIL, to the incident due to the potential exposure of personal data shared by some users in conversations that the attacker could access, and has alerted all Tchap users, reminding them that public chat rooms are accessible to any user and are not encrypted.
"At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker's persistent access and allow for a thorough analysis of the data they were able to access. The investigation continues, including the study of event logs, to identify the conversations that the attacker was able to access and the nature of the exfiltrated data," DINUM said in a Monday press release.
"A message has been sent to all Tchap users reminding them that a public chat room can be found and joined by any user and that its content is not encrypted. In accordance with Tchap's terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms: such exchanges should be reserved for private chat rooms."
While the DINUM has not shared any further details regarding this breach, a threat actor claimed responsibility for the incident over the weekend, shared a sample of stolen files, and said they gained access to the platform following a social engineering attack.
"I social engineered a valid account on the education shard (matrix.agent.education.tchap.gouv.fr). Everything below is what that one account could reach, other shards will have more," they said.
They claim to have stolen hardcoded LDAP credentials allegedly leaked via a PowerShell script shared by a French tax authority regional director and over 13.5GB of documents and media files shared by public servants using the Tchap service.
The threat actors also allegedly scraped nearly 650,000 messages and information on over 73,000 accounts, including email addresses, organization information, meeting links, and account and device metadata.
"Every file ever shared on Tchap, on any shard, is downloadable without a token," they added. "The media IDs come from the messages. Once you have a message with a media URL you can pull the file freely regardless of which shard hosts it."
BleepingComputer reached out to DINUM with questions about the incident, but a response was not immediately available.
Last month, French authorities detained a 15-year-old suspected of selling data stolen in an April cyberattack on ANTS (Agence nationale des titres sécurisés), the country's agency for issuing and managing official identity and registration documents.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper