French government messaging carrier breached in account hijacking assault

DINUM, the virtual affairs directorate of the French govt, warned that hackers used a hijacked consumer account to breach Tchap, the French govt’s encrypted messaging platform.

Evolved in-house through DINUM in collaboration with ANSSI (the French Cybersecurity Company) in 2018, Tchap is an fast messaging carrier and collaboration software in keeping with the decentralized Matrix protocol, designed solely for the French public sector.

Tchap has now reached over 300,000 per month customers and over 500,000 downloads on Google’s Play Retailer after Top Minister François Bayrou mandated using Tchap and banned overseas apps for paintings communications for all civil servants in early August 2025.

DINUM printed on Monday that ANSSI detected a Tchap breach on Sunday and mentioned {that a} danger actor won get right of entry to to the protected fast messaging platform the usage of a compromised consumer account.

The French virtual affairs directorate has additionally alerted France’s knowledge coverage authority, the CNIL, to the incident because of the prospective publicity of private knowledge shared through some customers in conversations that the attacker may just get right of entry to, and has alerted all Tchap customers, reminding them that public chat rooms are obtainable to any consumer and don’t seem to be encrypted.

“At this degree, the account originating the malicious requests has been recognized. It was once in an instant blocked to take away the attacker’s power get right of entry to and make allowance for an intensive research of the knowledge they had been in a position to get right of entry to. The investigation continues, together with the find out about of tournament logs, to spot the conversations that the attacker was once in a position to get right of entry to and the character of the exfiltrated knowledge,” DINUM mentioned in a Monday press unencumber.

“A message has been despatched to all Tchap customers reminding them {that a} public chat room may also be discovered and joined through any consumer and that its content material isn’t encrypted. According to Tchap’s phrases of carrier, no non-public, delicate, or confidential data will have to be exchanged in public chat rooms: such exchanges will have to be reserved for personal chat rooms.”

Whilst the DINUM has no longer shared any longer main points referring to this breach, a danger actor claimed duty for the incident over the weekend, shared a pattern of stolen recordsdata, and mentioned they won get right of entry to to the platform following a social engineering assault.

​”I social engineered a legitimate account at the training shard (matrix.agent.training.tchap.gouv.fr). The entirety under is what that one account may just achieve, different shards may have extra,” they mentioned.

​They declare to have stolen hardcoded LDAP credentials allegedly leaked by means of a PowerShell script shared through a French tax authority regional director and over 13.5GB of paperwork and media recordsdata shared through public servants the usage of the Tchap carrier.

The danger actors additionally allegedly scraped just about 650,000 messages and data on over 73,000 accounts, together with e-mail addresses, group data, assembly hyperlinks, and account and instrument metadata.

“Each and every record ever shared on Tchap, on any shard, is downloadable with out a token,” they added. “The media IDs come from the messages. After getting a message with a media URL you’ll pull the record freely irrespective of which shard hosts it.”

BleepingComputer reached out to DINUM with questions in regards to the incident, however a reaction was once no longer in an instant to be had.

Ultimate month, French government detained a 15-year-old suspected of marketing knowledge stolen in an April cyberattack on ANTS (Agence nationale des titres sécurisés), the rustic’s company for issuing and managing legit identification and registration paperwork.