French Government Messaging App Tchap Breached via Hijacked Account

Key Takeaways

• Attackers accessed Tchap via social engineering, compromising a valid account on the education shard
• Over 643,000 messages and data on 73,000+ accounts were scraped from public chat rooms
• Private encrypted conversations remained secure; only public rooms were affected

What Happened

DINUM, the digital affairs directorate of the French government, confirmed on Monday that hackers breached Tchap, France's encrypted messaging platform for civil servants. The attack was detected on Sunday by ANSSI, the French Cybersecurity Agency.

The attacker gained access through a compromised user account. DINUM has blocked the account to cut off persistent access while investigators analyze what data was accessed.

Tchap is built on the decentralized Matrix protocol and was developed in-house by DINUM in collaboration with ANSSI starting in 2018. Prime Minister François Bayrou mandated its use for all civil servants in August 2025, banning foreign messaging apps for work communications. The platform now has over 300,000 monthly users and more than 500,000 downloads on Google Play.

What the Attacker Claims

A threat actor claimed responsibility over the weekend and shared samples of stolen files. They said the breach started with a social engineering attack on the education shard (matrix.agent.education.tchap.gouv.fr).

“I social engineered a valid account on the education shard. Everything below is what that one account could reach, other shards will have more.”

— Threat actor's public claim

According to the threat actor's claims, they obtained hardcoded LDAP credentials leaked through a PowerShell script shared by a French tax authority regional director. The attacker says they exfiltrated over 13.5GB of documents and media files shared by public servants on Tchap.

The scope of the alleged breach is significant. The threat actor claims to have scraped nearly 650,000 messages and collected information on over 73,000 accounts, including email addresses, organization details, and metadata.

Public Rooms vs. Private: A Critical Distinction

DINUM has alerted all Tchap users that public chat rooms can be found and joined by any user. Crucially, content in public rooms is not encrypted.

The agency reminded users that under Tchap's terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms. Such conversations should happen only in private rooms, which maintain end-to-end encryption.

DINUM has notified France's data protection authority, the CNIL, due to potential exposure of personal data in conversations the attacker accessed. The investigation continues, with teams analyzing event logs to identify which conversations were compromised and what data was taken.

Security Community Response

Discussion in cybersecurity circles has focused on the architectural gap between public and private Matrix rooms. Many experts note that Tchap users likely operated under a false sense of security about content shared in non-private channels.

The incident highlights a recurring challenge with enterprise messaging platforms: users often don't distinguish between different security levels within the same app. A public room in Tchap looks similar to a private one, but the security model is fundamentally different.

This breach comes at a sensitive time for government communication security. With France's mandate pushing all civil servants onto Tchap, the platform's user base has grown rapidly. Growth that fast can outpace security training and user awareness.

What DINUM Is Doing Now

• Blocked the compromised account to remove attacker access
• Conducting forensic analysis of event logs
• Identifying which conversations were accessed and what data was exfiltrated
• Notified CNIL about potential personal data exposure
• Sent reminders to all users about public vs. private room security

DINUM has not disclosed how the initial account compromise occurred or how long the attacker had access before detection. These details will likely emerge as the investigation progresses.

Frequently Asked Questions

Was Tchap's encryption broken in this breach?

No. The attacker accessed public chat rooms, which are not encrypted by design. Private rooms with end-to-end encryption were not compromised.

How many users were affected by the Tchap breach?

The threat actor claims to have collected data on over 73,000 accounts, including email addresses and organizational metadata.

How did the attacker gain access to Tchap?

According to their claims, through social engineering a valid account on the education shard and potentially exploiting leaked LDAP credentials from a PowerShell script.

Is Tchap still safe to use?

DINUM has blocked the compromised account and is investigating. Private encrypted rooms remain secure. Users should avoid sharing sensitive information in public rooms.

What is Tchap built on?

Tchap uses the decentralized Matrix protocol and was developed by DINUM and ANSSI starting in 2018 for exclusive use by French civil servants.

Source: BleepingComputer