Full Report
DINUM, the digital affairs directorate of the French government, warned that hackers used a hijacked user account to breach Tchap, the French government's encrypted messaging platform. [...]
Analysis Summary
# Incident Report: Tchap Messaging Platform Account Hijacking
## Executive Summary
In June 2026, the French government's encrypted messaging platform, Tchap, suffered a security breach following a social engineering attack that compromised a user account on the education shard. The attacker leveraged this access to scrape messages and download unencrypted media files from public chat rooms. DINUM responded by blocking the compromised account and notifying users, while an investigation into the full scope of data exfiltration remains ongoing.
## Incident Details
- **Discovery Date:** Sunday, June 8, 2026
- **Incident Date:** June 7–8, 2026
- **Affected Organization:** DINUM (Digital Affairs Directorate) / French Government
- **Sector:** Government / Public Sector
- **Geography:** France
## Timeline of Events
### Initial Access
- **Date/Time:** Weekend of June 7, 2026
- **Vector:** Social Engineering
- **Details:** A threat actor successfully social engineered a valid user account belonging to the education shard (matrix[.]agent[.]education[.]tchap[.]gouv[.]fr).
### Lateral Movement
- **Details:** Using the hijacked account, the attacker accessed public chat rooms. They also claimed to discover hardcoded LDAP credentials within a PowerShell script shared by a regional director of the French tax authority.
### Data Exfiltration/Impact
- **Details:** The attacker scraped approximately 650,000 messages and metadata for over 73,000 accounts. They exploited a platform vulnerability where media IDs could be used to download files from any shard without an authentication token, resulting in the theft of 13.5GB of documents and media.
### Detection & Response
- **Discovery:** Detected by ANSSI (French Cybersecurity Agency) on Sunday, June 8, 2026.
- **Response actions taken:** The originating malicious account was identified and blocked; a press release was issued; the CNIL was notified; and a global alert was sent to all users.
## Attack Methodology
- **Initial Access:** Social Engineering / Account Hijacking.
- **Persistence:** Use of a legitimate, hijacked user session.
- **Privilege Escalation:** Not explicitly confirmed, though the attacker claimed access to LDAP credentials.
- **Defense Evasion:** Use of legitimate credentials to blend with authorized traffic.
- **Credential Access:** Social engineering of a user; discovery of hardcoded credentials in shared scripts.
- **Discovery:** Scraping account metadata and meeting links via the Tchap directory/public rooms.
- **Lateral Movement:** Shard-to-shard file access via media IDs.
- **Collection:** Automated scraping of messages and media downloads.
- **Exfiltration:** Exfiltration of 13.5GB of data.
- **Impact:** Exposure of personal data and sensitive government communications.
## Impact Assessment
- **Financial:** Unknown; costs related to incident response and forensic analysis.
- **Data Breach:** 650k messages, 73k account details (emails, metadata), and 13.5GB of media/files.
- **Operational:** Temporary disruption as security protocols were reviewed and account access restricted.
- **Reputational:** High; Tchap is a sovereign transition away from foreign apps, making a breach of this platform a significant public interest matter.
## Indicators of Compromise
- **Network indicators:** matrix[.]agent[.]education[.]tchap[.]gouv[.]fr (Affected Shard).
- **Behavioral indicators:** Unusual scraping patterns; high-volume media downloads originating from a single user account across multiple shards.
## Response Actions
- **Containment:** Immediate blocking of the hijacked account to terminate attacker access.
- **Eradication:** Investigation of event logs to identify the full scope of accessed conversations.
- **Recovery:** Notification of the data protection authority (CNIL) and user-wide security reminders.
## Lessons Learned
- **Public vs. Private:** Users lacked clarity on the lack of encryption in "Public" chat rooms versus "Private" rooms.
- **File Security:** The platform's media handling allowed unauthenticated downloads via Media IDs, representing a critical flaw in the Matrix implementation used.
- **Credential Hygiene:** High-ranking officials sharing scripts containing hardcoded credentials remains a significant risk.
## Recommendations
- **Technical:** Implement Multi-Factor Authentication (MFA) for all Tchap accounts to mitigate social engineering risks.
- **Architecture:** Restrict media downloads to require valid session tokens associated with the specific room where the file was shared.
- **Training:** Conduct security awareness training for civil servants regarding the sharing of scripts/code and the sensitivity of public chat rooms.