ctipilot.ch

Tchap French government Matrix messenger breached via account takeover; 73,467 civil servants' metadata exposed, CNIL notified

incident · incident:tchap-french-government-messenger-breach

Coverage timeline
1
first 2026-06-10 → last 2026-06-10
Briefs
1
1 distinct
Sources cited
4
4 hosts
Sections touched
1
active_threats
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-06-10CTI Daily Brief — 2026-06-10
    active_threatsFirst coverage. ATO on education shard pivoted via Matrix user-directory; DINUM confirms name/email/entity/avatar for 73,467 agents; unverified actor scrape claims flagged.

Where this entity is cited

  • active_threats1

Source distribution

  • bleepingcomputer.com1 (25%)
  • helpnetsecurity.com1 (25%)
  • numerique.gouv.fr1 (25%)
  • theregister.com1 (25%)

Related entities

All cited sources (4)

Items in briefs about Tchap French government Matrix messenger breached via account takeover; 73,467 civil servants' metadata exposed, CNIL notified (1)

France's Tchap government messenger breached via account takeover — 73,467 civil servants' metadata scraped, CNIL notified

From CTI Daily Brief — 2026-06-10 · published 2026-06-10 · view item permalink →

On 7 June 2026 ANSSI detected a compromise of Tchap, the French state's sovereign Matrix-based encrypted messenger used by some 825,000 civil servants across all ministries; DINUM published its disclosure on 8 June (DINUM, 2026-06-08). The attacker obtained a single account on the education shard (matrix.agent.education.tchap.gouv.fr) through account impersonation; the attacker further claims to have used a Tchap directory-search function to enumerate accounts across the service, a mechanism DINUM has not confirmed and which The Register reports as part of a set of unverified attacker claims (Help Net Security, 2026-06-09; The Register, 2026-06-09). DINUM confirms 73,467 agents (under 9% of registered users) had name, first name, email address, employing entity and avatar potentially exposed; private rooms protected by Matrix end-to-end encryption were not accessible from a compromised user account, only public-room content (DINUM, 2026-06-08). The unverified actor additionally claims bulk scraping of ~643,000 messages and ~13.5 GB of media, alleging that any media object is retrievable without an auth token once its media ID is known — an unconfirmed content-repository access-control claim that, if true, would widen the exposure considerably (The Register, 2026-06-09). DINUM has notified CNIL and blocked the account; the investigation is ongoing.

Defender takeaway: account takeover followed by directory enumeration and bulk metadata scraping is a generic risk for any Matrix homeserver, since user-directory search is reachable by authenticated users across a federation by default. Organisations running Matrix/Element (BwMessenger and several cantonal/government deployments share this architecture) should restrict or disable cross-federation directory search, confirm sensitive comms use private E2EE rooms rather than public rooms, and watch for follow-on phishing that uses the leaked name + email + organisational-affiliation tuples.