Tchap Breach Exposes Vulnerabilities in French Government’s Encrypted Messaging Platform
French authorities are currently investigating a significant security incident involving Tchap, the encrypted messaging platform designed for government use. This breach reportedly occurred when attackers gained access through a compromised user account, raising serious concerns about the security of sensitive communications within the French public sector. The incident, detected by the National cybersecurity Agency of France (ANSSI), has prompted an ongoing investigation led by the Directorate of Digital Affairs (DINUM).
Timeline of the Incident
The breach was identified on a Sunday when ANSSI observed suspicious activity on the Tchap platform. Following this detection, DINUM took immediate action to assess the situation and mitigate potential risks. The breach highlights vulnerabilities in a system that is supposed to provide secure communications for government officials, emphasizing the critical need for robust cybersecurity measures.
According to information released on Monday, a threat actor accessed the Tchap service using a hijacked account. This unauthorized access raises alarms about the potential exposure of user conversations and shared data, which could have far-reaching implications for national security and public trust.
Tchap’s Growing Role Within the French Government
Launched in 2018 through a collaboration between DINUM and ANSSI, Tchap was developed specifically for the French public sector as a secure messaging and collaboration tool. Built on the decentralized Matrix protocol, Tchap aims to reduce reliance on foreign communication applications, which have been deemed less secure.
The platform has seen substantial growth, now boasting over 300,000 monthly active users and exceeding 500,000 downloads on Google’s Play Store. Its adoption accelerated following a directive from French Prime Minister François Bayrou in August 2025, mandating civil servants to use Tchap for professional communications while prohibiting foreign messaging applications for official discussions.
DINUM Alerts CNIL Following Potential Data Exposure
In light of the breach, DINUM promptly informed France’s data protection authority, CNIL, about the possibility that personal information shared by users may have been compromised. Authorities also notified all Tchap users, emphasizing the security limitations of public chat rooms on the platform.
Officials reiterated that public channels can be accessed by any Tchap user and that messages exchanged in these rooms are not encrypted. This vulnerability underscores the importance of adhering to Tchap’s terms of service, which advise against sharing personal, sensitive, or confidential information in public chat rooms.
DINUM provided an update on the investigation, stating that the account responsible for the malicious requests has been identified and blocked to prevent further access. The agency is currently analyzing event logs to determine the extent of the data accessed by the attacker.
Threat Actor Claims Social Engineering Led to the Tchap Breach
While DINUM has not disclosed additional technical details regarding the breach, an individual claiming responsibility for the incident has publicly shared alleged evidence, describing the attack as the result of a social engineering operation. This claim raises questions about the effectiveness of security protocols in place for user account management.
The threat actor asserted that they social engineered a valid account on the education shard of Tchap, indicating that the breach could have far-reaching implications across different sectors of the French government. Access to a legitimate account reportedly allowed visibility into a substantial amount of information available through the platform.
The individual also claimed to have uncovered hardcoded LDAP credentials, which were allegedly exposed through a PowerShell script shared by a regional director within a French tax authority. This revelation points to potential systemic issues in the management of sensitive information within government agencies.
Alleged Theft of Documents, Messages, and User Information
The threat actor further alleged that over 13.5GB of documents and media files were taken from Tchap, which were reportedly shared by public servants using the messaging service. In addition to the documents, the attacker claimed to have collected nearly 650,000 messages and information associated with over 73,000 user accounts. The purported dataset allegedly includes email addresses, organizational details, meeting links, account information, device metadata, and other user-related records.
The individual made alarming claims regarding the accessibility of shared files on the platform, stating that every file ever shared on Tchap is downloadable without a token. They added that media IDs from messages allow for unrestricted access to files, regardless of which shard hosts them. These assertions have not been independently verified by French authorities, but they highlight significant vulnerabilities that could be exploited by malicious actors.
Implications for Cybersecurity Policy
The Tchap breach serves as a critical reminder of the vulnerabilities inherent in digital communication platforms, even those designed for secure government use. As Tchap continues to expand its user base within the French public sector, the incident underscores the urgent need for enhanced cybersecurity measures, including robust user authentication protocols and comprehensive training for government employees on recognizing social engineering tactics.
The implications of this breach extend beyond the immediate exposure of sensitive information. It raises questions about the overall security posture of government communication systems and the potential risks associated with reliance on a single platform for official communications.
As investigations continue, the French government faces the challenge of restoring public trust while ensuring that such vulnerabilities are addressed to prevent future incidents. The Tchap breach is not just a technical failure; it is a wake-up call for governments worldwide to reassess their cybersecurity strategies in an increasingly digital landscape.
For further details on the incident, refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
