French Govt Messaging Service Breached in Account Hijacking Attack

Tchap, France’s in‑house encrypted messaging platform, was launched in 2018 by DINUM in partnership with ANSSI to replace foreign communication tools for civil servants. Mandated by Prime Minister François Bayrou in August 2025, the app quickly grew to over 300,000 monthly users and half‑a‑million downloads, positioning itself as a cornerstone of public‑sector digital collaboration. Built on the decentralized Matrix protocol, Tchap offers end‑to‑end encryption for private rooms while public channels remain plaintext, a design choice intended for open discussion but one that creates a surface for data exposure.

The breach unfolded when a threat actor social‑engineered credentials for an education‑shard account, granting access to a wide swath of the network. Within minutes the attacker harvested more than 13.5 GB of documents, media files, and metadata, scraping roughly 650,000 messages and details from over 73,000 user profiles. Because public chat rooms on Tchap are not encrypted, the intruder could download any shared file without a token, amplifying the scope of the leak. DINUM’s rapid response—blocking the compromised account and notifying the CNIL—mitigated further intrusion, yet the incident highlights how a single hijacked credential can cascade into massive data loss.

For governments worldwide, the Tchap incident serves as a cautionary tale about balancing accessibility with security. Reliance on public channels that lack encryption, combined with insufficient multi‑factor authentication, creates exploitable gaps even in platforms touted as secure. Moving forward, French authorities are likely to tighten credential management, enforce stricter encryption policies for all chat types, and reconsider the permissibility of unencrypted public rooms. The episode reinforces the broader industry imperative: robust identity verification and end‑to‑end protection are non‑negotiable for any official communication tool.