France’s digital affairs directorate says a hijacked user account was used to breach Tchap, the government’s encrypted messaging platform. ANSSI detected the incident on Sunday, DINUM blocked the malicious account, and users were reminded that public chat room
A government encrypted-chat service built for the French public sector was compromised through something far less technical than malware.
DINUM, the digital affairs directorate of the French government, warned that hackers used a hijacked user account to breach Tchap, the French government’s encrypted messaging platform. The warning landed after ANSSI detected the intrusion on Sunday.
Tchap was developed in-house by DINUM in collaboration with ANSSI in 2018. It runs as an instant messaging and collaboration tool based on the decentralized Matrix protocol, and it has been built exclusively for the French public sector.
The scale of adoption is now significant: Tchap has surpassed 300. 000 monthly users and more than 500. 000 downloads on Google’s Play Store. That growth accelerated after Prime Minister François Bayrou mandated Tchap’s use and banned foreign apps for work communications for all civil servants in early August 2025.
DINUM said the attacker reached the platform using a compromised account. In a Monday press release. the directorate said France’s digital affairs directorate also alerted France’s data protection authority. CNIL. because some personal data shared in conversations could have been exposed if the attacker accessed them.
DINUM also told Tchap users what went wrong in plain terms: public chat rooms are accessible to any user and are not encrypted.
“At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker’s persistent access and allow for a thorough analysis of the data they were able to access. The investigation continues. including the study of event logs. to identify the conversations that the attacker was able to access and the nature of the exfiltrated data. ” DINUM said.
Alongside the internal response, DINUM issued a direct reminder to the user base. A message was sent to all Tchap users explaining that a public chat room can be found and joined by any user and that its content is not encrypted. The directorate added that. under Tchap’s terms of service. users should not exchange personal. sensitive. or confidential information in public chat rooms—those exchanges should be reserved for private chat rooms.
While DINUM has not shared additional technical details about the breach, a threat actor claimed responsibility over the weekend. The attacker said it gained access to the platform after a social engineering attack and provided a sample of allegedly stolen files.
The threat actor claimed it social engineered a valid account on the education shard—matrix.agent.education.tchap.gouv.fr—and said everything reachable from that account was listed in the files it shared. It added that other shards would have more.
The attacker alleged it stole hardcoded LDAP credentials, claiming they were leaked via a PowerShell script shared by a French tax authority regional director. It also alleged access to more than 13.5GB of documents and media files shared by public servants using Tchap.
Beyond files, the threat actor claimed it scraped nearly 650,000 messages and information on over 73,000 accounts. Those details allegedly included email addresses, organization information, meeting links, and account and device metadata.
The attacker also made broader claims about what could be downloaded from the system: “Every file ever shared on Tchap. on any shard. is downloadable without a token.” It said the media IDs come from the messages. and that once a message includes a media URL. the file can be pulled freely regardless of which shard hosts it.
DINUM did not immediately provide further details when contacted for questions about the incident, with a response not available at the time.
The breach comes as French authorities have already been grappling with the aftershocks of earlier attacks. Last month. French authorities detained a 15-year-old suspected of selling data stolen in an April cyberattack on ANTS (Agence nationale des titres sécurisés). the agency responsible for issuing and managing official identity and registration documents.
DINUM Tchap ANSSI CNIL Matrix protocol cybersecurity breach France government messaging account hijacking social engineering