Emerging ThreatsData Breaches

French Govt Messaging Service Breached in Account Hijacking Attack

Analyst 207||Source: BleepingComputer
Government office workstation with blurred computer screen and muted decor.

"At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker's persistent access and allow for a thorough analysis of the data they were able to access," DINUM said in a Monday press release.

DINUM and ANSSI detected the intrusion; account blocked

France's digital affairs directorate, DINUM, disclosed that ANSSI (the French Cybersecurity Agency) detected a breach of Tchap on Sunday and that the intrusion came via a compromised user account. DINUM said the account that originated the malicious requests has been identified and was immediately blocked. The directorate added the investigation is ongoing and includes study of event logs to determine which conversations the attacker accessed and what data may have been exfiltrated.

What was targeted: Tchap, a government-only messaging platform

Tchap is an instant messaging service and collaboration tool developed in-house by DINUM in collaboration with ANSSI in 2018 and built on the decentralized Matrix protocol. Designed exclusively for the French public sector, the platform reached over 300,000 monthly users and exceeded 500,000 downloads on Google's Play Store after Prime Minister François Bayrou mandated its use and banned foreign apps for work communications for all civil servants in early August 2025.

Threat actor's public claims: social engineering, LDAP credentials, and bulk data

While DINUM has not released further technical detail, a threat actor claimed responsibility over the weekend and shared a sample of stolen files. In a message published by the actor, they said: "I social engineered a valid account on the education shard (matrix.agent.education.tchap.gouv.fr). Everything below is what that one account could reach, other shards will have more."

The actor also claimed to have stolen hardcoded LDAP credentials allegedly leaked via a PowerShell script "shared by a French tax authority regional director." They asserted they obtained over 13.5GB of documents and media files shared by public servants using Tchap, scraped nearly 650,000 messages, and collected information on over 73,000 accounts — including email addresses, organization information, meeting links, and account and device metadata.

Technical assertion about media access and shards

The threat actor made a technical claim about how media is served on Tchap: "Every file ever shared on Tchap, on any shard, is downloadable without a token," they wrote. "The media IDs come from the messages. Once you have a message with a media URL you can pull the file freely regardless of which shard hosts it." Those statements, attributed to the actor, describe a method by which an attacker could retrieve files once they possess message-level media URLs; DINUM has not publicly corroborated or refuted these technical specifics in its release.

Regulatory notification and user guidance: CNIL alerted; public-room reminder

DINUM has alerted France's data protection authority, the CNIL, because of the potential exposure of personal data shared by some users in conversations the attacker could access. DINUM also notified all Tchap users and reminded them that public chat rooms are discoverable and not encrypted. In line with Tchap's terms of service, DINUM reiterated that "no personal, sensitive, or confidential information should be exchanged in public chat rooms: such exchanges should be reserved for private chat rooms."

What this means for technologists, policymakers, and civil servants

  • Technologists and security teams: DINUM's stated log analysis and account block are immediate steps; teams responsible for Tchap infrastructure and shard configuration will likely need to validate access controls around media URLs and LDAP credential handling to assess whether the actor's claims about tokenless downloads and leaked credentials are accurate.
  • Policymakers and regulators (CNIL): CNIL has been alerted; its role will be to evaluate potential data exposure arising from the incident and any obligations for notification or remediation stemming from the personal data implicated in the breached conversations.
  • Civil servants and Tchap users: DINUM's user notice underscores that public chat rooms are accessible to any user and are not encrypted; users should follow Tchap's terms of service by confining sensitive exchanges to private rooms while the investigation proceeds.

DINUM told users the originating account was blocked and that investigators are analysing logs to identify which conversations were accessed and the nature of exfiltrated data. BleepingComputer reached out to DINUM with questions but did not receive an immediate response. The threat actor's assertions, if verified, point to a substantial collection of messages and files; the investigation and CNIL review will determine which of those claims are confirmed and what follow-on notifications or mitigations will be required.

Source: BleepingComputer – French govt messaging service breached in account hijacking attack

Cyber EspionageEmerging ThreatsFranceAccount HijackingANSSIGovernment BreachTchapFrench GovtDINUM
Related Intelligence

Continue Reading

Somber figure stands in brightly-lit French government building interior with subtle digital interface hint.

France Investigates Breach of Government Messaging Platform

French authorities are on high alert after a hacker hijacked a user account on a government messaging platform, sparking an investigation into the breach. The attacker claims to have accessed far more data than initially reported, raising concerns about the security of sensitive information.

Analyst 207
Developer workstation with laptop and blurred terminal screen, highlighting supply chain security concerns.

PyPI Packages Poisoned in Hades Supply Chain Attack

Malicious actors have launched a supply-chain attack on the Python Package Index (PyPI), infecting 19 packages with 37 tainted versions that can download and execute a hidden JavaScript payload. This sneaky Hades campaign uses poisoned Python packages to spread its reach, putting developers and users at risk.

Analyst 207
Laptop screen on a minimalist desk with a blurred display and a subtle bug icon in the background.

Google Patches Chrome Zero-Day Flaw Exploited in the Wild

Google just dropped an emergency update for Chrome, fixing a whopping 74 vulnerabilities, including a zero-day flaw that's been exploited by hackers in the wild. A security researcher scored a $55,000 reward for reporting the bug, now patched in the latest Chrome update.

Analyst 207
Laptop in office setting with remote access VPN connection setup, hinting at security vulnerability.

Check Point Discloses Zero-Day Auth Bypass Bug Under Active Exploitation

A critical authentication flaw, CVE-2026-50751, has been discovered in Check Point's Remote Access VPN and Mobile Access solutions, allowing attackers to bypass user authentication and establish a remote access VPN connection without a valid password. This severe vulnerability, scoring 9.3 on the CVSS scale, affects deployments using the outdated IKEv1 key exchange protocol.

Analyst 207