French government messaging platform breached through account hijacking
French authorities are investigating a compromise of Tchap, the government’s secure messaging platform, after hackers hijacked a user account and gained access to public chat rooms.
Tchap is the French government’s messaging platform for civil servants, ministries, and public agencies. Built on the open-source Matrix protocol, it was developed to keep government communications on infrastructure managed by the French state rather than foreign technology providers.
The Interministerial Directorate for Digital Affairs (DINUM) said the incident was detected on June 7 by France’s national cybersecurity agency, ANSSI.
Following the discovery, DINUM launched an investigation to determine how the account was compromised, what data may have been accessed, and what steps were needed to contain the incident.
“At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker’s persistent access and allow for a thorough analysis of the data they were able to access,” DINUM said.
Officials stated that the incident did not affect private conversations protected by end-to-end encryption. According to DINUM, any information accessible through the compromised account would have been limited to public chat rooms, which are open to all Tchap users and whose messages are not encrypted.
While French officials described the breach as limited in scope, an alleged hacker claimed to have obtained 73,467 user accounts, 643,459 messages, 876 chat rooms with message history, 59,386 media files totaling 13.51 GB, and references to documents marked “Diffusion Restreinte,” a French government restricted-distribution classification. Access was allegedly gained through social engineering of an account associated with Tchap’s education environment.
None of those claims have been independently verified, and it remains unclear how much data the attacker was able to access.
DINUM has also notified France’s data protection authority, the CNIL, due to the potential exposure of personal data shared by some users in conversations accessible to the attacker, and alerted Tchap users that public chat rooms can be accessed by any user and are not encrypted.