French Govt Tchap Breach Exposes 73,000 Civil Servant Accounts

Key Takeaways

• 73,467 French civil servants had data exposed through Tchap's unencrypted public chat rooms
• The attacker used social engineering to compromise a user account and scraped 650,000 messages plus 13.5GB of files
• Private encrypted conversations remained protected, but public rooms were vulnerable by design

France's official encrypted messaging platform, Tchap, suffered a breach that exposed data from 73,467 civil servant accounts. DINUM, the government's digital affairs directorate, confirmed the incident on Monday and notified the country's data protection authority, CNIL.

The attacker gained access through a compromised user account, obtained via social engineering. Once inside, they scraped data from public chat rooms, which are not encrypted by design. Private conversations remained protected.

What Was Exposed

DINUM disclosed that the stolen data includes first names, last names, email addresses, avatar images, and the public sector organizations where affected employees work. This information was shared in Tchap's public forums, which allow open access to all registered users.

A threat actor claiming responsibility said they scraped nearly 650,000 messages from more than 73,000 accounts. They also claim to have stolen over 13.5GB of documents and media files, along with meeting links, organization metadata, and account and device information.

Perhaps more concerning: the attacker allegedly obtained hardcoded LDAP credentials leaked via a PowerShell script. If verified, this could enable further attacks against French government systems.

How the Attack Happened

The breach started with social engineering, not a technical exploit. The attacker compromised a legitimate user account, then used it to access public chat rooms and scrape their contents. DINUM has since blocked the compromised account to cut off persistent access.

“The breach is a stark reminder that even 'sovereign' platforms are not immune to social engineering when human error remains the weakest link.”

— Marc-Antoine Dubois, Lead Security Researcher at CyberGuard Europe

This attack path is notable because Tchap was built specifically to replace foreign messaging apps like WhatsApp for official government communications. Developed by DINUM and ANSSI, France's cybersecurity agency, it launched in 2018 and became mandatory for civil servants in August 2025. The platform now has over 300,000 monthly active users.

The Public Room Problem

Tchap uses the Matrix protocol, which supports end-to-end encryption for private conversations. But the platform also includes public rooms, group spaces where messages are visible to all users. These rooms are unencrypted by design.

DINUM's statement made this explicit: "These forums, by design, are open to all users and their messages are not encrypted. Officers' private conversations remain protected."

The issue is that users may not fully understand this distinction. Discussions on Reddit's r/cybersecurity and Hacker News have focused on the irony of a "sovereign" platform being compromised through basic social engineering. Many commenters pointed to training failures, arguing that users should have been more clearly warned not to share sensitive data in public rooms.

Government Response

DINUM has identified and blocked the malicious account. The directorate is conducting an analysis to determine the full scope of data exposure. France's data protection authority, CNIL, has been notified as required under EU regulations.

The government has not attributed the attack to any specific group or nation-state. The threat actor who claimed responsibility has not been independently verified.

Lessons for Other Organizations

The Tchap breach offers several takeaways for any organization using internal messaging platforms:

• Public or open channels on any platform are not encrypted. Treat them as public spaces, not secure communication channels.
• Social engineering remains the easiest attack vector. Technical security means little if one user clicks the wrong link.
• "Sovereign" or government-built tools are not inherently more secure. They face the same human factors as commercial alternatives.
• User training must be explicit about what is and isn't protected. Assumptions about encryption cause real data exposure.

Frequently Asked Questions

Were encrypted private messages on Tchap compromised?

No. DINUM confirmed that private conversations remain protected by end-to-end encryption. Only public chat rooms, which are unencrypted by design, were affected.

How did the attacker gain access to Tchap?

Through social engineering. The attacker compromised a legitimate user account and used it to access and scrape public chat rooms on the platform.

What personal data was exposed in the Tchap breach?

Names, email addresses, avatar images, organization affiliations, meeting links, and account metadata. The threat actor also claims to have stolen 13.5GB of documents and media files.

How many people use Tchap?

Tchap has over 825,000 registered users and more than 300,000 monthly active users. The breach affected 73,467 accounts, or about 9% of registered users.

What is Tchap and why does France use it?

Tchap is a secure messaging platform built on the Matrix protocol, developed by France's DINUM and ANSSI. It became mandatory for civil servants in August 2025 to replace foreign apps like WhatsApp for official communications.

Source: BleepingComputer