France’s government chat app Tchap was breached after a single account was compromised, exposing messages and data from public channels.
Tchap, the encrypted messaging platform developed by the French government for its civil servants and made mandatory last year, was breached on June 7. ANSSI, France’s cybersecurity agency, detected the intrusion. The vector was straightforward: someone compromised a user account and used it to access the platform. No sophisticated technical exploit, just a stolen account.
The attacker claimed responsibility over the weekend before the French Digital Affairs Directorate (DINUM) made any official announcement. They said they got in through a social engineering attack targeting the education shard, specifically matrix.agent.education.tchap.gouv.fr. Their own description of what they found is the more alarming part: they claim to have scraped nearly 650,000 messages, information on over 73,000 accounts, including email addresses and device metadata, and over 13.5GB of documents and media files.
They also allege they found hardcoded LDAP credentials leaked via a PowerShell script shared by a regional director of the French tax authority.
“I social engineered a valid account on the education shard (matrix.agent.education.tchap.gouv.fr). Everything below is what that one account could reach, other shards will have more,” reads the announcement made by the attackers.
ALERTE — La messagerie gouvernementale Tchap serait visée par une fuite de données impliquant plus de 73 000 agents de l'État, 643 000 messages et près de 3 ans d'échanges internes.
Tchap est la messagerie officielle de l'administration française. Elle est notamment… pic.twitter.com/jtiN0hS1LF
— Seb (@seblatombe) June 8, 2026
DINUM’s official statement attempted to downplay the incident and moved to limit the apparent damage. The agency noted that private conversations are end-to-end encrypted, and that even with a compromised account, historical private messages remain inaccessible.
“At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker’s persistent access and allow for a thorough analysis of the data they were able to access.” reads the annuncement. “The potentially exposed user account data includes, at a minimum: first and last name, email address, affiliated entity, and avatar.”
In other words, government experts found the account, blocked it, and are now going through the logs to figure out what was actually reached.
What was reachable through that one compromised account is the operative question. Tchap distinguishes between public chat rooms, open to any user and unencrypted by design, and private rooms, which are encrypted. The attacker’s access was theoretically limited to public room content. But with 300,000 monthly users, many of whom are civil servants who may not have read the fine print on what public means in this context, the contents of those public rooms could still be sensitive.
DINUM notified France’s data protection authority, the CNIL, of the potential exposure of personal data. It also sent a reminder to all Tchap users about how public rooms work.
” In accordance with Tchap’s terms of service, no personal, sensitive, or confidential information should be exchanged in public chats; these exchanges must be reserved for private conversations.” states DINUM. “Tchap remains a secure platform for professional exchanges, provided that each user adheres to the terms of service. No personal, sensitive, or confidential information should be exchanged in public chats; these exchanges must be reserved for private conversations.”
Reminding users after a breach that they weren’t supposed to share sensitive information in public rooms is the digital equivalent of putting up a sign after the accident.
The timing adds context. Prime Minister François Bayrou mandated Tchap for all civil servants and banned foreign apps for work communications in August 2025. For this reason,Tchap is a significantly more attractive target than it was when it launched in 2018 as an internal tool for a limited number of individuals.
Mandatory adoption at scale, without proportional investment in the security review of every architectural decision made years earlier, is a pattern that tends to produce exactly this kind of incident. The investigation is ongoing.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
