ANSSI, DINUM and French Tax Authority: French govt messaging service breached in account hijacking attack

ANSSI, DINUM and French Tax Authority: French govt messaging service breached in account hijacking attack

French Government’s Secure Messaging Platform Tchap Breached via Compromised Account

The French government’s encrypted messaging platform, Tchap, was breached after hackers gained access using a hijacked user account. Developed by DINUM (the digital affairs directorate) in collaboration with ANSSI (France’s cybersecurity agency) in 2018, Tchap is a Matrix-based secure messaging tool exclusively for the French public sector, with over 300,000 monthly users and 500,000 Play Store downloads as of 2025.

The breach was detected by ANSSI on Sunday, prompting DINUM to disclose the incident on Monday. The attacker accessed the platform through a compromised account, potentially exposing personal data shared in conversations. DINUM has notified CNIL (France’s data protection authority) and warned users that public chat rooms are unencrypted and accessible to any user, advising against sharing sensitive information in them.

While the compromised account was immediately blocked, the investigation is ongoing to determine the extent of the breach. A threat actor later claimed responsibility, stating they gained access via social engineering on the education shard (matrix.agent.education.tchap.gouv.fr). The attacker alleged they exfiltrated:

  • Hardcoded LDAP credentials from a PowerShell script shared by a French tax authority official.
  • 13.5GB of documents and media files shared by public servants.
  • Nearly 650,000 messages and metadata from 73,000+ accounts, including emails, organizational details, meeting links, and device information.

The attacker also claimed that all files shared on Tchap were downloadable without authentication, regardless of the shard hosting them. DINUM has not confirmed these details, and the incident remains under investigation.

This breach follows a recent cyberattack on ANTS (France’s national agency for secure documents), where a 15-year-old was detained last month for allegedly selling stolen data.

Source: https://www.bleepingcomputer.com/news/security/french-govt-messaging-service-breached-in-account-hijacking-attack/

ANSSI - Agence nationale de la sécurité des systèmes d'information cybersecurity rating report: https://www.rankiteo.com/company/anssi-fr

French Ministry for Armed Forces cybersecurity rating report: https://www.rankiteo.com/company/french-ministry-of-armed-forces

Direction interministérielle du numérique (DINUM) cybersecurity rating report: https://www.rankiteo.com/company/direction-interministerielle-du-numerique-dinum

"id": "ANSFREDIR1781008517",
"linkid": "anssi-fr, french-ministry-of-armed-forces, direction-interministerielle-du-numerique-dinum",
"type": "Breach",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '73,000+ accounts (public '
                                              'servants)',
                        'industry': 'Government/Public Sector',
                        'location': 'France',
                        'name': 'Tchap (DINUM & ANSSI)',
                        'size': '500,000+ downloads (300,000+ monthly users)',
                        'type': 'Government Secure Messaging Platform'}],
 'attack_vector': 'Compromised Account (Social Engineering)',
 'customer_advisories': 'Public servants advised against sharing sensitive '
                        'information in public chat rooms',
 'data_breach': {'data_encryption': 'Public chat rooms unencrypted; other data '
                                    'encryption status unclear',
                 'data_exfiltration': True,
                 'file_types_exposed': ['Documents', 'Media files'],
                 'number_of_records_exposed': '650,000+ messages, 13.5GB of '
                                              'files',
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High (government communications, '
                                        'personally identifiable information)',
                 'type_of_data_compromised': ['Personal data',
                                              'Documents',
                                              'Media files',
                                              'Messages',
                                              'Metadata (emails, '
                                              'organizational details, meeting '
                                              'links, device information)']},
 'date_detected': 'Sunday (exact date not specified)',
 'date_publicly_disclosed': 'Monday (exact date not specified)',
 'description': 'The French government’s encrypted messaging platform, Tchap, '
                'was breached after hackers gained access using a hijacked '
                'user account. The attacker accessed the platform through a '
                'compromised account, potentially exposing personal data '
                'shared in conversations. The breach was detected by ANSSI, '
                'and the investigation is ongoing to determine the extent of '
                'the exposure.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage to '
                                       'French government’s secure '
                                       'communications',
            'data_compromised': 'Personal data, documents, media files, '
                                'messages, metadata (emails, organizational '
                                'details, meeting links, device information)',
            'identity_theft_risk': 'High (exposure of emails, organizational '
                                   'details, and device information)',
            'operational_impact': 'Compromised account blocked, ongoing '
                                  'investigation',
            'systems_affected': 'Tchap secure messaging platform '
                                '(Matrix-based)'},
 'initial_access_broker': {'entry_point': 'Social engineering on the education '
                                          'shard '
                                          '(matrix.agent.education.tchap.gouv.fr)'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'root_causes': 'Compromised account via social '
                                           'engineering, hardcoded credentials '
                                           'in shared scripts, unencrypted '
                                           'public chat rooms'},
 'recommendations': 'Avoid sharing sensitive information in public chat rooms, '
                    'review security of shared scripts and credentials',
 'references': [{'source': 'DINUM Public Disclosure'}],
 'regulatory_compliance': {'regulatory_notifications': 'CNIL (France’s data '
                                                       'protection authority) '
                                                       'notified'},
 'response': {'communication_strategy': 'Public disclosure by DINUM, '
                                        'notification to CNIL',
              'containment_measures': 'Compromised account immediately blocked',
              'incident_response_plan_activated': True,
              'remediation_measures': 'Ongoing investigation, user advisories '
                                      'against sharing sensitive information '
                                      'in public chat rooms'},
 'stakeholder_advisories': 'Users warned about unencrypted public chat rooms',
 'threat_actor': 'Unknown (claimed by an unidentified threat actor)',
 'title': 'French Government’s Secure Messaging Platform Tchap Breached via '
          'Compromised Account',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Public chat rooms unencrypted and accessible to '
                            'any user, hardcoded LDAP credentials in shared '
                            'scripts'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.