France’s Digital Affairs Agency (DINUM) issued an urgent security alert after hackers successfully infiltrated Tchap, the French government’s internal encrypted communication platform, by hijacking a legitimate user account. The breach may have resulted in unauthorized access to personal information shared by government employees in conversations on the platform.

What Is Tchap?

Tchap is an instant messaging and collaborative office tool developed jointly by DINUM and France’s National Agency for Cybersecurity (ANSSI) in 2018. Built on the open, decentralized Matrix protocol, the platform was designed exclusively for French public sector employees. It currently counts over 300,000 monthly active users and has been downloaded more than 500,000 times on the Google Play Store.

Its use became even more widespread in August 2025, when Prime Minister François Bayrou issued a directive requiring all government employees to use Tchap for official communications, simultaneously prohibiting the use of foreign messaging applications.

How the Breach Occurred

France’s cybersecurity agency ANSSI first detected abnormal intrusion activity on Sunday. Preliminary investigation confirmed attackers gained access by compromising a single user’s account. DINUM subsequently reported the incident to CNIL, France’s data protection regulator, acknowledging that personal data shared in chats may have been accessed or exported by the attacker.

An individual claiming responsibility over the weekend stated they gained entry via a social engineering attack, targeting an account in the education shard of the platform (matrix.agent.education.tchap.gouv.fr). According to their account, they obtained LDAP credentials that appeared to be hard-coded into a PowerShell script shared by a regional head of the French tax department.

Note on unverified claims: The following scale figures were asserted by the attacker and have not been independently confirmed or officially acknowledged by DINUM as of publication. An inquiry from BleepingComputer to DINUM had not received a response at press time.

13.5 GB Documents & media allegedly exported
650K+ Message records allegedly scraped
73,000+ Accounts allegedly exposed

A Possible Architectural Flaw

Beyond the social engineering vector, the attacker also alleged a deeper structural vulnerability in Tchap’s architecture: that all files ever shared on any shard of the platform can be downloaded without authentication. According to the claim, once a message containing a media URL is obtained, the corresponding file can be fetched directly using its media ID, without a token, and regardless of which server shard it resides on.

DINUM has not officially confirmed or denied the existence of this vulnerability. The technical team is continuing to analyze incident logs to determine the scope of sessions accessed and data potentially leaked.

DINUM’s Response

Upon discovering the breach, DINUM identified the specific account from which the malicious requests originated and immediately banned it to cut off continued access. The agency also issued a reminder that public chat rooms on Tchap are accessible to any registered user and their content is not encrypted — and that no sensitive, personal, or confidential information should be shared in public rooms, as the platform’s terms of use explicitly require.

Broader Context

This incident is not isolated. Just last month, French authorities arrested a 15-year-old suspect accused of selling data stolen from ANTS, the national agency responsible for issuing identity and registration documents. That breach originated from a cyberattack in April 2026, after which stolen data reportedly circulated on underground forums.

Together, these incidents highlight the mounting cybersecurity pressure on France’s public sector during its digital transformation — and raise pointed questions about account security controls, access management, and data encryption standards on government-run communication infrastructure.