Tchap Breach Exposes 73,000 French Government Accounts

France's national cybersecurity agency ANSSI has confirmed a security breach of Tchap, the government's secure messaging platform built as an alternative to WhatsApp and Signal. The attack compromised 73,467 civil servant accounts—nearly 9% of all registered users—after threat actors gained persistent access through a single hijacked account.

TL;DR

• What happened: Social engineering attack compromised Tchap secure messenger
• Who's affected: 73,467 French government employees across multiple agencies
• Data exposed: 650,000 messages, 13.5GB documents, LDAP credentials (attacker claims)
• Action required: French civil servants should review account activity and shared content

How the Breach Occurred

The attack began with a social engineering campaign that compromised a single user account. Once inside, the threat actor used the compromised credentials to maintain persistent platform access and scrape data from public chat rooms, which lack end-to-end encryption.

DINUM, France's digital affairs directorate, detected unauthorized access on June 7, 2026, and publicly disclosed the breach on June 12. The threat actor claimed responsibility over the weekend, sharing samples of stolen files to prove the breach.

This incident mirrors the social engineering tactics we've seen used against law firms by the Silent Ransom Group—high-value targets accessed through individual credential compromise rather than technical exploitation.

What Data Was Exposed

The attacker allegedly exfiltrated:

• 650,000 messages scraped from public chat rooms
• 13.5GB of documents and media files shared on the platform
• Metadata on 73,467 accounts including email addresses, names, organization affiliation, and avatar images
• Hardcoded LDAP credentials discovered within the platform

Private encrypted conversations remained protected, according to DINUM. However, the volume of unencrypted data from public channels represents significant exposure of government communications.

For context on how data breaches of this scale can impact government operations, see our guide on data breach fundamentals.

Mandatory Adoption Created Concentration Risk

Tchap's breach carries particular weight because of its mandatory adoption status. In August 2025, Prime Minister François Bayrou banned foreign messaging apps for official government communications, requiring all civil servants to use Tchap instead.

The platform has since grown to over 300,000 monthly active users and 825,000 registered accounts. Concentrating all government messaging on a single platform created an attractive target—compromising one account could expose communications across multiple agencies.

ANSSI's Response

Upon detection, DINUM immediately:

1. Blocked the compromised account
2. Initiated forensic analysis of platform access logs
3. Notified CNIL, France's data protection authority
4. Assessed scope of potential data exposure

The agency has not disclosed specific remediation timelines or whether additional accounts showed signs of compromise. Attribution remains incomplete—the threat actor has not been publicly identified.

The Irony of Secure Messaging

Tchap was built specifically because France didn't trust foreign messaging platforms with government communications. The platform runs on Matrix protocol infrastructure and is designed to provide sovereign control over sensitive data.

But the breach didn't exploit a protocol flaw or zero-day vulnerability. It exploited human trust—a social engineering attack that could succeed against any platform. The "secure" in secure messaging refers to encryption in transit and at rest, not protection against compromised credentials.

This echoes the ServiceNow incident from earlier this week, where architectural decisions meant to enable legitimate access also enabled unauthorized data exposure.

Why This Matters

Government messaging platforms are prime targets because they aggregate sensitive communications. A single breach can expose cross-departmental discussions, policy deliberations, and operational details that would otherwise require compromising dozens of individual systems.

The mandatory adoption order that pushed 500,000+ downloads also ensured that a successful breach would have maximum impact. Security architects often warn against single points of failure, but convenience and compliance requirements frequently override that caution.

For organizations handling sensitive communications, the lesson is clear: encryption doesn't prevent credential theft. Phishing-resistant authentication, behavioral monitoring, and assumed-breach architectures remain essential even when the underlying platform is cryptographically sound.

Frequently Asked Questions

Were encrypted private messages exposed?

According to DINUM, private encrypted conversations were not compromised. The breach affected public chat rooms, which by design lack end-to-end encryption, plus account metadata and shared files.

Should French civil servants change their passwords?

If you're a Tchap user who shared sensitive information in public channels, assume it was exposed. Review your account activity and consider what information may have been accessible through your organizational chat rooms.