French Government Messaging Service Tchap Breached Via Hijacked Account
Hackers compromised Tchap, the French government's secure messaging service, by exploiting a legitimate user account, potentially exposing sensitive data.
Hackers have successfully breached Tchap, the French government's secure and encrypted messaging service, by leveraging a compromised user account. The incident was detected by ANSSI, the French Cybersecurity Agency, and reported by DINUM, the digital affairs directorate responsible for the platform. This breach raises significant concerns about the security of government communications and the potential exposure of sensitive information.
Tchap, developed in-house by DINUM in collaboration with ANSSI, is built on the decentralized Matrix protocol and was established in 2018 to provide a secure communication channel for the French public sector. Its adoption has grown substantially, particularly after Prime Minister François Bayrou mandated its use for all civil servants in August 2025, banning foreign applications for work-related communications. The platform now boasts over 300,000 monthly users and more than 500,000 downloads.
DINUM confirmed that the attackers gained access through a legitimate, but compromised, user account. This allowed them to infiltrate the platform and potentially access conversations. In response, the compromised account was immediately blocked to prevent further unauthorized access and to facilitate a thorough investigation into the extent of the breach. The digital affairs directorate has also alerted France's data protection authority, the CNIL, due to the possibility of personal data being accessed.
While DINUM has not released extensive details, a threat actor claimed responsibility for the attack over the weekend, stating they used social engineering to compromise an account on the 'education' shard of Tchap. This actor alleged they obtained hardcoded LDAP credentials from a leaked PowerShell script and exfiltrated over 13.5GB of documents and media files. Furthermore, they claimed to have scraped approximately 650,000 messages and data from over 73,000 accounts, including email addresses and metadata.
The attackers asserted that files shared on any Tchap shard were downloadable without requiring specific tokens, indicating a potentially widespread vulnerability in file access controls. This claim suggests that the scope of the breach could be more extensive than initially reported by DINUM, impacting a large volume of user-generated content.
DINUM has issued a reminder to all Tchap users about the nature of public chat rooms, emphasizing that their content is not encrypted and is accessible to any user. They reiterated that sensitive or confidential information should only be exchanged in private chat rooms, adhering to Tchap's terms of service. The investigation is ongoing to precisely identify the data accessed and its nature.
This incident follows a recent cybersecurity event in France, where authorities detained a teenager suspected of involvement in a cyberattack on ANTS, the agency responsible for issuing identity documents, which occurred in April. The Tchap breach underscores the persistent threats facing government digital infrastructure and the critical need for robust security measures, especially for platforms handling sensitive public sector communications.
The alleged attacker claims to have accessed over 73,000 accounts and millions of messages, including references to restricted government documents, a significantly broader scope than French officials have publicly acknowledged. While officials maintain only public chat rooms were affected and private messages remain encrypted, the attacker's claims suggest potential user enumeration and exfiltration of sensitive data, prompting further investigation by ANSSI and notification of the CNIL data protection watchdog.
While French officials stated the incident did not affect private, end-to-end encrypted conversations, an alleged hacker claimed to have exfiltrated a significant volume of data, including user accounts, messages from public chat rooms, media files, and documents marked "Diffusion Restreinte." The attacker also claimed access was gained through social engineering targeting an account associated with Tchap's education environment, though these claims remain unverified.