French government Tchap messaging platform breached via hijacked account (2026)
French authorities confirmed that an attacker hijacked a Tchap user account to access public chat rooms on the French state's secure messaging platform, with the intruder claiming to have scraped tens of thousands of accounts and hundreds of thousands of messages.
- Victim
- Tchap (DINUM)
On 9 June 2026, the Interministerial Directorate for Digital Affairs (DINUM) confirmed that Tchap — the French state's secure messaging platform for civil servants, ministries and public agencies — had been compromised after an attacker hijacked a legitimate user account. France's national cybersecurity agency, ANSSI, detected the intrusion on 7 June 2026, and DINUM said it immediately moved to block the affected account and investigate.
What happened
Tchap is built on the open-source Matrix protocol and was developed so that government communications run on infrastructure managed by the French state rather than by foreign technology providers. According to DINUM, the attacker gained access through a compromised user account — reportedly obtained via social engineering of an account tied to Tchap's education environment — rather than by breaking the platform's cryptography.
Officials stressed that private, end-to-end encrypted conversations were not affected. DINUM said the information reachable through the hijacked account was limited to public chat rooms, which are open to all Tchap users and whose messages are not encrypted.
Attacker claims (unverified)
The alleged intruder claimed to have obtained 73,467 user accounts, 643,459 messages, 876 chat rooms with message history, and 59,386 media files totalling roughly 13.5 GB, along with references to documents marked "Diffusion Restreinte" — a French government restricted-distribution classification. None of these claims have been independently verified, and it remains unclear how much data the attacker actually accessed.
Why it matters
Tchap was created precisely to give the French government digital sovereignty over sensitive internal communications, so a breach — even one limited to public rooms — is politically sensitive. The incident is a reminder that a platform's cryptography is only as strong as the accounts and onboarding flows around it: end-to-end encryption protected the private conversations, but a single hijacked account still gave an outsider a window into a state communications system.
Timeline
France's national cybersecurity agency ANSSI detects the compromise of a Tchap account.
DINUM publicly confirms the intrusion; the incident is widely reported and an investigation is opened.
Sources
- helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/06/09/tchap-french-government-secure-messaging-platform-breach/
- theregister.comhttps://www.theregister.com/security/2026/06/09/france-probes-compromise-of-gov-messaging-platform-after-account-hijack/5252717
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/french-govt-messaging-service-breached-in-account-hijacking-attack/
- scworld.comhttps://www.scworld.com/brief/french-government-messaging-platform-tchap-breached-via-hijacked-account