French government messaging service compromised in account hijacking attack

DINUM, the French authorities’s digital affairs directorate, has warned that hackers have breached Tchap, the French authorities’s encrypted messaging platform, utilizing hijacked person accounts.

Developed in-house by DINUM in collaboration with ANSSI (French Cybersecurity Company) in 2018, Tchap is an instantaneous messaging service and collaboration software primarily based on the decentralized Matrix protocol designed particularly for the French public sector.

Tchap now has greater than 300,000 month-to-month customers and has been downloaded greater than 500,000 instances on Google’s Play Retailer, after Prime Minister François Bayrou made the usage of Tchap obligatory in early August 2025 and banned international apps for enterprise communications for all civil servants.

DINUM mentioned on Monday that ANSSI detected the Tchap breach on Sunday, and that the attackers used compromised person accounts to entry the safe instantaneous messaging platform.

France’s Directorate Basic for Digital Affairs additionally alerted France’s information safety authority, the CNIL, to the incident, as private information shared by some customers in conversations that might be accessed by attackers might be leaked, and in addition alerted all Tchap customers, reminding them that public chat rooms are accessible to any person and usually are not encrypted.

“At this stage, the account originating the malicious request has been recognized. The account was instantly blocked to take away the attacker’s everlasting entry and to permit a radical evaluation of the info that was accessible. Investigations are persevering with, together with examination of occasion logs, to find out the conversations that the attacker was in a position to entry and the character of the info that was exfiltrated,” DINUM mentioned in a press launch on Monday.

“All Tchap customers needs to be conscious that messages are despatched, public chat rooms might be discovered and joined by any person, and their contents usually are not encrypted. In accordance with Tchap’s Phrases of Service, private, confidential, and confidential data shouldn’t be exchanged in public chat rooms. Such exchanges needs to be reserved for personal chat rooms.”

DINUM didn’t present particulars in regards to the breach, however the attackers claimed accountability for final weekend’s incident, shared samples of stolen information, and mentioned they gained entry to the platform after a social engineering assault.

“I’ve socially engineered a legitimate account on the training shard (matrix.agent.training.tchap.gouv.fr). Every little thing beneath is so far as that one account can attain, and different shards have extra,” they mentioned.

They declare to have stolen hard-coded LDAP credentials that had been allegedly leaked by way of a PowerShell script shared by a regional director of the French tax authority, in addition to greater than 13.5GB of doc and media information shared by public servants utilizing the Tchap service.

The attackers additionally allegedly scraped roughly 650,000 messages and details about greater than 73,000 accounts, together with e-mail addresses, organizational data, assembly hyperlinks, and account and gadget metadata.

“All information ever shared on Tchap might be downloaded with out tokens on any shard,” they added. “The media ID is retrieved from the message. After getting the message with the media URL, you might be free to drag the file no matter which shard hosts it.”

BleepingComputer reached out to DINUM with questions in regards to the incident, however didn’t instantly obtain a response.

Final month, French authorities detained a 15-year-old man on suspicion of promoting information stolen in an April cyberattack on ANTS, the company that points and manages official identification playing cards and registration paperwork.