The French Government Digital Affairs Agency (DINUM) recently issued a security advisory stating that hackers successfully invaded the French government's internal encrypted communication platform Tchap by hijacking a legitimate user account, which may have resulted in unauthorized access to the personal information shared by some users in the conversation.

Tchap was jointly developed by the French Government Digital Affairs Agency and the French National Information Systems Security Agency (ANSSI) in 2018. It is based on the decentralized Matrix protocol and is positioned as an instant messaging and collaborative office tool serving the French public sector. It is only open to users in the public service system. The app has continued to grow since its launch and now has more than 300,000 monthly active users in the French public sector and has been downloaded more than 500,000 times on the Google Play Store. In early August 2025, French Prime Minister François Bayrou issued a notice requiring all public servants to use Tchap in official communications and prohibited the use of communication applications from foreign manufacturers, thus significantly expanding the scope of use and data carrying capacity of the platform.

DINUM disclosed in a press release issued on Monday that ANSSI first detected abnormal intrusion behavior on the Tchap platform on Sunday. After preliminary investigation, it was confirmed that the attacker entered the system through a user's compromised account, thus gaining access to the encrypted communication platform. After the incident, DINUM reported the security incident to the French data protection regulator CNIL because the personal data shared by some users in the chat may have been accessed or exported by attackers. At the same time, DINUM also issued a reminder to all Tchap users, emphasizing that public chat rooms on the platform are open to any registered user, and that the content in such public rooms does not have encryption protection enabled.

DINUM stated that it has locked the specific account from which the malicious request originated and banned it immediately after discovering the problem to cut off the attacker's continuous access channel and create conditions for subsequent in-depth analysis of its access scope and potential data leakage. The current investigation is still ongoing, and the technical team is conducting a detailed comparison of event logs to determine which sessions the attacker has accessed, as well as the type and scope of data that may have been transmitted. Officials also reiterated that no personal, sensitive or confidential information should be shared in Tchap’s public chat rooms, and such content must be communicated only in private chat rooms, which is a clear requirement in the platform’s terms of use.

Although DINUM has not disclosed more technical details, an attacker took the initiative to claim responsibility for the incident over the weekend and published a sample of files allegedly stolen from Tchap, claiming that he gained access to the platform after conducting a social engineering attack. The attacker claimed that they "obtained access to a valid account in the education shard (matrix.agent.education.tchap.gouv.fr) through social engineering" and emphasized that the data exposed was only the content accessible to this single account, and there may be more data in other shards.

According to their own account, in this attack, they obtained LDAP credentials that were suspected to be hard-coded in the script. These credentials were allegedly from a PowerShell script shared by a French tax department regional director. In addition, the attackers claimed to have exported more than 13.5GB of documents and media files from the Tchap platform, which were uploaded and shared by French public officials in their daily use. It further stated that they captured nearly 650,000 message records and related information of more than 73,000 accounts, including sensitive elements such as user email addresses, affiliation information, meeting links, and metadata of accounts and devices.

In terms of technical details, the attackers also claimed that Tchap's architecture has a serious flaw - "all files that have been shared on any shard in the platform can be downloaded without a token." According to it, once the message content containing the media URL is obtained, the media ID can be used to directly download the corresponding file without authentication, without being restricted by the shard in which it is located. At present, DINUM has not officially confirmed the above-mentioned specific technical vulnerabilities and data scale. BleepingComputer sent an inquiry to DINUM about this, but has not received a reply as of press time.

It is worth noting that just last month, France notified and arrested a 15-year-old teenage suspect, who was accused of selling data stolen from the French national security document agency ANTS (the national agency responsible for the issuance and management of official identity and registration documents). The case stemmed from a cyber attack on ANTS in April this year, after which the attackers sold stolen data on underground forums, which aroused widespread concern in society. The current Tchap intrusion incident once again highlights the complex network security challenges faced by the French public sector in the process of digital transformation. It also places higher requirements on account security management, access control and data encryption strategies for the government's internal communication platform.