French Government Messaging App Tchap Breached via Hijacked Account
Key Takeaways
- Attackers accessed Tchap via social engineering, compromising a valid account on the education shard
- Over 643,000 messages and data on 73,000+ accounts were scraped from public chat rooms
- Private encrypted conversations remained secure; only public rooms were affected
What Happened
DINUM, the digital affairs directorate of the French government, confirmed on Monday that hackers breached Tchap, France's encrypted messaging platform for civil servants. The attack was detected on Sunday by ANSSI, the French Cybersecurity Agency.
The attacker gained access through a compromised user account. DINUM has blocked the account to cut off persistent access while investigators analyze what data was accessed.
Tchap is built on the decentralized Matrix protocol and was developed in-house by DINUM in collaboration with ANSSI starting in 2018. Prime Minister François Bayrou mandated its use for all civil servants in August 2025, banning foreign messaging apps for work communications. The platform now has over 300,000 monthly users and more than 500,000 downloads on Google Play.
What the Attacker Claims
A threat actor claimed responsibility over the weekend and shared samples of stolen files. They said the breach started with a social engineering attack on the education shard (matrix.agent.education.tchap.gouv.fr).
“I social engineered a valid account on the education shard. Everything below is what that one account could reach, other shards will have more.”
— Threat actor's public claim
According to the threat actor's claims, they obtained hardcoded LDAP credentials leaked through a PowerShell script shared by a French tax authority regional director. The attacker says they exfiltrated over 13.5GB of documents and media files shared by public servants on Tchap.
The scope of the alleged breach is significant. The threat actor claims to have scraped nearly 650,000 messages and collected information on over 73,000 accounts, including email addresses, organization details, and metadata.
Public Rooms vs. Private: A Critical Distinction
DINUM has alerted all Tchap users that public chat rooms can be found and joined by any user. Crucially, content in public rooms is not encrypted.
The agency reminded users that under Tchap's terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms. Such conversations should happen only in private rooms, which maintain end-to-end encryption.
DINUM has notified France's data protection authority, the CNIL, due to potential exposure of personal data in conversations the attacker accessed. The investigation continues, with teams analyzing event logs to identify which conversations were compromised and what data was taken.
Security Community Response
Discussion in cybersecurity circles has focused on the architectural gap between public and private Matrix rooms. Many experts note that Tchap users likely operated under a false sense of security about content shared in non-private channels.
The incident highlights a recurring challenge with enterprise messaging platforms: users often don't distinguish between different security levels within the same app. A public room in Tchap looks similar to a private one, but the security model is fundamentally different.
This breach comes at a sensitive time for government communication security. With France's mandate pushing all civil servants onto Tchap, the platform's user base has grown rapidly. Growth that fast can outpace security training and user awareness.
What DINUM Is Doing Now
- Blocked the compromised account to remove attacker access
- Conducting forensic analysis of event logs
- Identifying which conversations were accessed and what data was exfiltrated
- Notified CNIL about potential personal data exposure
- Sent reminders to all users about public vs. private room security
DINUM has not disclosed how the initial account compromise occurred or how long the attacker had access before detection. These details will likely emerge as the investigation progresses.
Logicity's Take
Another government cybersecurity directive with compliance deadlines
Related security patching and vulnerability management
Frequently Asked Questions
Was Tchap's encryption broken in this breach?
No. The attacker accessed public chat rooms, which are not encrypted by design. Private rooms with end-to-end encryption were not compromised.
How many users were affected by the Tchap breach?
The threat actor claims to have collected data on over 73,000 accounts, including email addresses and organizational metadata.
How did the attacker gain access to Tchap?
According to their claims, through social engineering a valid account on the education shard and potentially exploiting leaked LDAP credentials from a PowerShell script.
Is Tchap still safe to use?
DINUM has blocked the compromised account and is investigating. Private encrypted rooms remain secure. Users should avoid sharing sensitive information in public rooms.
What is Tchap built on?
Tchap uses the decentralized Matrix protocol and was developed by DINUM and ANSSI starting in 2018 for exclusive use by French civil servants.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
AMD RDNA 5 GPUs Delayed to Late 2027 or Early 2028
Graphics card manufacturers at Computex report AMD's next-generation RDNA 5 architecture won't arrive until late 2027 at the earliest. The delay adds a full year to AMD's GPU release cycle, reflecting broader industry shifts toward AI hardware over gaming.
Rippl Launches Trust-First Social Commerce Platform in India
Indian startup Rippl has unveiled a social commerce platform that replaces anonymous reviews with recommendations from verified users. The platform aims to address what it calls a 'trust deficit' in online discovery, where fake ratings and paid endorsements have eroded consumer confidence.
iOS 27 Code Reveals iPhone Ultra Foldable Features
Software engineers found references to foldable display states and hinge-angle detection in the iOS 27 beta source code. The discovery suggests Apple is preparing consumer-facing software for a foldable iPhone, likely arriving alongside the iPhone 18 series this fall.