French authorities are investigating a security incident involving Tchap, the encrypted messaging platform used by the French government, after attackers reportedly gained access through a compromised user account. The Tchap Breach incident, which ANSSI detected, has prompted an ongoing investigation led by DINUM, the digital affairs directorate of the French government.
According to information released on Monday, the Tchap breach was identified on Sunday when ANSSI, France’s national cybersecurity agency, detected suspicious activity on the platform. Officials said a threat actor accessed the service using a hijacked account, raising concerns about potential exposure of user conversations and shared data.
The breach comes as Tchap continues to expand across the French public sector, serving hundreds of thousands of users following a government-wide push to reduce reliance on foreign communication applications.
Tchap’s Growing Role Within the French Government
Tchap was launched in 2018 through a collaboration between DINUM and ANSSI. Built on the decentralized Matrix protocol, the platform was developed specifically for use within the French public sector as a secure messaging and collaboration tool.
The service has experienced significant growth in recent years. According to available figures, Tchap now records more than 300,000 monthly active users and has surpassed 500,000 downloads on Google’s Play Store.
Its adoption accelerated after French Prime Minister François Bayrou introduced a directive in early August 2025 requiring civil servants to use Tchap for professional communications while prohibiting the use of foreign messaging applications for official work-related discussions.
DINUM Alerts CNIL Following Potential Data Exposure
In response to the Tchap breach, DINUM informed France’s data protection authority, the CNIL, because of the possibility that personal information shared by users may have been exposed. Authorities also notified all Tchap users and reminded them about the security limitations of public chat rooms on the platform.
Officials emphasized that public channels can be discovered and joined by any Tchap user and that messages exchanged in these rooms are not encrypted.
Providing an update on the investigation, DINUM stated:
“At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker’s persistent access and allow for a thorough analysis of the data they were able to access. The investigation continues, including the study of event logs, to identify the conversations that the attacker was able to access and the nature of the exfiltrated data.”
The French government agency further noted:
“A message has been sent to all Tchap users reminding them that a public chat room can be found and joined by any user and that its content is not encrypted. In accordance with Tchap’s terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms: such exchanges should be reserved for private chat rooms.”
Threat Actor Claims Social Engineering Led to the Tchap Breach
While DINUM has not released additional technical details regarding how the intrusion occurred, an individual claiming responsibility for the Tchap breach publicly shared alleged evidence over the weekend and described the attack as the result of a social engineering operation.
The threat actor stated:
“I social engineered a valid account on the education shard (matrix.agent.education.tchap.gouv.fr). Everything below is what that one account could reach; other shards will have more.”
According to the claims, access to a legitimate account enabled visibility into a substantial amount of information available through the platform.
The individual also shared samples of files allegedly obtained during the intrusion and claimed to have uncovered hardcoded LDAP credentials. Those credentials were reportedly exposed through a PowerShell script shared by a regional director within a French tax authority.
Alleged Theft of Documents, Messages, and User Information
The threat actor further alleged that more than 13.5GB of documents and media files were taken from Tchap. These files were reportedly shared by public servants using the messaging service.
In addition to the documents, the attacker claimed to have collected nearly 650,000 messages and information associated with more than 73,000 user accounts. The purported dataset allegedly includes email addresses, organizational details, meeting links, account information, device metadata, and other user-related records.
The individual also made allegations regarding the accessibility of shared files on the platform, stating:
“Every file ever shared on Tchap, on any shard, is downloadable without a token.”
They added:
“The media IDs come from the messages. Once you have a message with a media URL you can pull the file freely regardless of which shard hosts it.”
These claims have not been independently verified by French authorities.
