Back

Account Hijacking Breach Affects French Government Messaging Platform Tchap

Severity: High (Score: 62.5)

Sources: Theregister, Engadget, Feeds2.Feedburner, www.numerique.gouv.fr, Bleepingcomputer

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: french, messaging, account, government, compromise, platform, breach

Severity indicators: pla, breach, government

Summary

On June 7, 2026, France's National Cybersecurity Agency (ANSSI) detected a breach of Tchap, the government's encrypted messaging platform, caused by an account hijacking. The attacker reportedly used social engineering to compromise a valid user account linked to Tchap's education shard. While French authorities claim that only public chat rooms were accessed, the attacker alleges they accessed over 73,000 user accounts and scraped nearly 650,000 messages. DINUM, the agency overseeing Tchap, has blocked the compromised account and is investigating the extent of the data accessed. They have also notified the CNIL regarding potential exposure of personal data. The investigation is ongoing, with officials analyzing logs to determine the full scope of the breach. The attacker claimed to have exfiltrated sensitive documents and media files shared by public servants, raising concerns about the integrity of government communications. Key Points: • The breach of Tchap was initiated through social engineering of a valid user account. • Authorities claim only public chat rooms were compromised, but the attacker asserts broader access. • DINUM is investigating the incident and has alerted the CNIL about potential data exposure.

Detailed Analysis

**Impact** Over 300,000 monthly users of Tchap, the French government’s encrypted messaging platform, are affected, primarily civil servants and public sector employees across ministries and agencies. The attacker accessed at least one hijacked user account on the education shard, potentially exposing over 73,000 user accounts, approximately 643,000 messages, nearly 60,000 media files, and more than 13.5GB of documents and media. Public chat rooms, which are unencrypted and accessible to all users, were confirmed accessed; private conversations remain encrypted and inaccessible. The breach risks exposure of personal data, organizational information, meeting links, and device metadata, with potential implications for government confidentiality and user privacy. **Technical Details** The attack vector was a social engineering campaign targeting a valid user account on the education shard of Tchap, leading to account hijacking and unauthorized access. The platform is based on the decentralized Matrix protocol, with public chat rooms unencrypted by design. The attacker exploited hardcoded LDAP credentials allegedly leaked via a PowerShell script from a French tax authority source. No malware, CVEs, or additional tools were reported; the compromise occurred at the credential and access management stage of the kill chain. The compromised account was identified and blocked promptly by DINUM. **Recommended Response** Immediate blocking and disabling of compromised accounts is critical, alongside thorough log analysis to determine the full scope of accessed data. Organizations should enforce strict credential hygiene, including revocation and rotation of exposed LDAP credentials and enhanced user training to mitigate social engineering risks. Monitoring for unusual account activity and implementing multi-factor authentication (MFA) where not already in place are advised. Continued collaboration with CNIL and ANSSI for incident response and data protection compliance is necessary. No specific patches or malware detections were indicated.

Source articles (5)

  • French govt messaging service breached in account hijacking attack — Bleepingcomputer · 2026-06-09
    DINUM, the digital affairs directorate of the French government, warned that hackers used a hijacked user account to breach Tchap, the French government's encrypted messaging platform. Developed in-ho…
  • France probes compromise of gov messaging platform after account hijack — Theregister · 2026-06-09
    Authorities say the breach only exposed public chat rooms, but alleged attacker claims to have accessed far more data French officials are investigating a compromise of the government’s encrypted mess…
  • French government messaging platform breached through account hijacking — Feeds2.Feedburner · 2026-06-09
    French authorities are investigating a compromise of Tchap, the government’s secure messaging platform, after hackers hijacked a user account and gained access to public chat rooms. Tchap is the Frenc…
  • The French government's internal messaging service was compromised in a security breach — Engadget · 2026-06-09
    A threat actor has since claimed responsibility for the attack on the encrypted Tchap platform. The French government's in-house messaging service, Tchap, has been breached in a cyber attack. On June…
  • Incident Tchap — www.numerique.gouv.fr · 2026-06-09
    Le 7 juin 2026, un compte utilisateur de Tchap, la messagerie instantanée chiffrée de l’État, a été compromis à la suite d'une usurpation de compte, un incident signalé et analysé en coordination avec…

Timeline

  • 2026-06-07 — ANSSI detects breach of Tchap: ANSSI identified suspicious activity on Tchap, leading to an investigation into the account hijacking incident.
  • 2026-06-07 — Attacker claims responsibility: A cyber criminal claimed they accessed over 73,000 accounts and scraped 643,000 messages via social engineering.
  • 2026-06-09 — DINUM blocks compromised account: DINUM confirmed the identification and blocking of the account used for malicious requests to secure the platform.
  • 2026-06-09 — Investigation into data exposure ongoing: DINUM is analyzing logs to determine the nature of the data accessed and whether any was exfiltrated.

Related entities

  • Data Breach (Attack Type)
  • Anssi (Company)
  • ANTS (Company)
  • CNIL (Company)
  • Dinum (Company)
  • French Government (Company)
  • France (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • matrix.agent.education.tchap.gouv.fr (Domain)
  • Government (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • Matrix Protocol (Platform)
  • Tchap (Platform)
  • PowerShell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed