Back

Breach of French Government Messaging Service Tchap Exposes User Data

Severity: High (Score: 66.5)

Sources: Bleepingcomputer, www.numerique.gouv.fr, Theregister

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: french, messaging, account, government, compromise, platform, breach

Severity indicators: pla, breach, government

Summary

The French government's encrypted messaging platform, Tchap, was breached through a hijacked user account. The attack was detected by ANSSI on June 7, 2026, leading to an investigation by DINUM. The attacker claims to have accessed over 73,000 user accounts and 643,000 messages, including sensitive data. DINUM has confirmed that personal information may have been exposed, prompting alerts to users and the CNIL. The breach reportedly involved social engineering to compromise an account on the education shard of Tchap. While officials assert that only public chat rooms were affected, the attacker claims to have accessed more extensive data, including restricted documents. Investigations are ongoing to determine the full scope of the breach and the nature of the exfiltrated data. Key Points: • Tchap, the French government's messaging platform, was breached via account hijacking. • The attacker claims to have accessed over 73,000 accounts and 643,000 messages. • DINUM and ANSSI are investigating the breach, which may involve exposed personal data.

Detailed Analysis

**Impact** The breach affected Tchap, the French government’s encrypted messaging platform with over 300,000 monthly users, primarily civil servants across ministries and public sector organizations. The attacker accessed at least one compromised user account, potentially exposing over 73,000 user accounts, approximately 643,000 messages, nearly 60,000 media files, and sensitive organizational data. Public chat rooms were confirmed accessible, and there are unverified claims of access to documents marked "Diffusion Restreinte." The incident risks exposure of personal data, organizational information, meeting links, and device metadata, with potential operational impacts on government communications. **Technical Details** The attack vector was a social engineering campaign targeting a valid user account on the education shard of Tchap’s decentralized Matrix protocol infrastructure. The attacker exploited compromised credentials, including allegedly leaked LDAP credentials, to gain persistent access and exfiltrate data. No malware or CVEs were reported; the compromise occurred at the account hijacking stage of the kill chain. The attacker leveraged Tchap’s media URL structure to download files without authentication tokens. Investigations are ongoing to determine the full scope of accessed data and exfiltration. **Recommended Response** Immediate revocation and blocking of compromised accounts is critical, alongside a thorough audit of access logs to identify affected conversations and data. Organizations should enforce multi-factor authentication and enhance user awareness training to mitigate social engineering risks. Monitoring for unusual account activity and implementing stricter access controls on media file retrieval are advised. CNIL notification and compliance with data protection protocols should continue while forensic analysis proceeds. No specific patches or malware indicators have been reported.

Source articles (3)

  • French govt messaging service breached in account hijacking attack — Bleepingcomputer · 2026-06-09
    DINUM, the digital affairs directorate of the French government, warned that hackers used a hijacked user account to breach Tchap, the French government's encrypted messaging platform. Developed in-ho…
  • France probes compromise of gov messaging platform after account hijack — Theregister · 2026-06-09
    Authorities say the breach only exposed public chat rooms, but alleged attacker claims to have accessed far more data French officials are investigating a compromise of the government’s encrypted mess…
  • Incident Tchap — www.numerique.gouv.fr · 2026-06-09
    Le 7 juin 2026, l'ANSSI a détecté une compromission du service Tchap de messagerie instantanée chiffrée de l’État, à la suite d'une usurpation de compte. Des investigations ont immédiatement été menée…

Timeline

  • 2026-06-07 — Suspicious activity detected on Tchap: ANSSI identified unusual activity on Tchap, prompting an investigation by DINUM.
  • 2026-06-09 — DINUM alerts users about the breach: DINUM notified Tchap users of potential data exposure and confirmed the investigation is ongoing.
  • 2026-06-09 — Attacker claims responsibility: The attacker claimed to have accessed extensive data through social engineering, including sensitive documents.

Related entities

  • Data Breach (Attack Type)
  • Anssi (Company)
  • ANTS (Company)
  • CNIL (Company)
  • Dinum (Company)
  • French Government (Company)
  • France (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • matrix.agent.education.tchap.gouv.fr (Domain)
  • Government (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • Matrix Protocol (Platform)
  • Tchap (Platform)
  • PowerShell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed