France's Government Messaging App Tchap Breached: 13.5GB Leaked

Key Takeaways

• A threat actor breached France's Tchap messaging platform and claims to have stolen 13.5GB of government files
• The hack exposed hardcoded LDAP credentials and documents shared in non-encrypted public chatrooms
• The incident undermines France's push for digital sovereignty and homegrown government software

France's homegrown government messaging service, Tchap, was breached on June 7. A threat actor has claimed responsibility and says they stole nearly 14GB of documents, email addresses, and meeting links from the encrypted platform used by public servants.

The French National Cybersecurity Agency (ANSSI) confirmed the compromise and launched an investigation with the Digital Affairs Directorate (DINUM), which built and manages Tchap. According to a press release from numerique.gov, the attacker's account has been identified and blocked.

What remains unclear is exactly how much data was taken. DINUM sent a message to all Tchap users reminding them that public chatrooms are not encrypted. Only private conversations get end-to-end encryption.

What the Hacker Claims to Have Stolen

While DINUM has not disclosed the breach's origin or full scope, BleepingComputer reports that a threat actor has come forward with specifics. The hacker claims to have stolen hardcoded LDAP credentials, which would provide access to directory services and authentication systems.

Beyond credentials, the alleged haul includes 59,386 sensitive media files. Some of these documents were reportedly marked "Diffusion Restreinte," a French classification for information requiring limited distribution. The attacker also claims access to 73,467 user accounts with ministry affiliations.

• Hardcoded LDAP credentials exposed
• 73,467 user accounts allegedly compromised
• 59,386 media files including 'Diffusion Restreinte' documents
• Email addresses and meeting links for public servants

“The breach highlights the critical necessity of distinguishing between encrypted private channels and public discussion rooms, which remain vulnerable to standard hijacking techniques.”

— Jean-Baptiste Leclair, Cybersecurity Analyst at Digital Defense France

Why Tchap Matters to France

Tchap launched in 2019 as a state-owned alternative to commercial messaging apps. It runs on the Matrix protocol, the same open standard that powers Element and other federated chat services. The French government designed it specifically for public sector employees who needed secure internal communications.

The platform sits at the center of France's broader push for digital sovereignty. This year, the country announced plans to ditch Windows for Linux on government workstations. By 2027, a French-built alternative will replace Zoom and Microsoft Teams in government offices.

The EU is also moving in this direction. Reports indicate the bloc plans to stop using Google as its default internal search engine, replacing it with Quaint, a France-developed alternative.

The Public Room Problem

Tchap's architecture includes two types of communication channels. Private conversations use end-to-end encryption, meaning only participants can read the messages. Public chatrooms do not have this protection.

This distinction appears to be at the heart of the breach. Civil servants may have shared sensitive documents in public rooms, assuming the government-run platform was fully secure. DINUM's post-breach reminder to users confirms this was a known gap.

Security researchers on Hacker News noted the irony of a "sovereign" government platform having hardcoded LDAP credentials accessible via scripts. On Reddit's r/cybersecurity forum, commenters questioned whether civil servants received adequate training on which rooms were safe for sensitive information.

What Happens Next

ANSSI and DINUM are still investigating the full extent of the breach. The attacker's account is blocked, but the damage assessment is ongoing. If the claimed document leak proves accurate, the French government faces serious questions about handling classified materials on internal platforms.

The breach also complicates France's pitch for digital sovereignty. The argument for homegrown software rests partly on security, the idea that government-controlled tools are safer than foreign alternatives. A major hack on that very software undermines the narrative.

FAQ

Frequently Asked Questions

What is Tchap and who uses it?

Tchap is France's state-owned messaging platform built for public sector employees. Launched in 2019, it runs on the Matrix protocol and offers end-to-end encryption for private conversations. Government workers across French ministries use it for internal communications.

How much data was stolen in the Tchap breach?

The threat actor claims to have stolen 13.5GB of data, including documents, email addresses, meeting links, and files marked 'Diffusion Restreinte.' The French government has not confirmed these figures but is investigating.

Are private Tchap messages compromised?

Private conversations on Tchap use end-to-end encryption. The breach appears to have targeted public chatrooms, which are not encrypted, and system credentials. Users who only communicated in private channels may be less exposed.

What does this mean for France's digital sovereignty push?

The breach complicates France's argument that homegrown software is more secure than foreign alternatives. However, it also demonstrates the challenges any organization faces when deploying communication platforms at scale, regardless of origin.

Source: Engadget