French Government Messaging App Tchap Hit by Data Breach

France's encrypted government messaging platform has been compromised. A Tchap data breach, confirmed by DINUM, the country's digital affairs directorate, allowed a threat actor to access sensitive communications and account data belonging to public servants after gaining entry through a hijacked user account. France's national cybersecurity agency, ANSSI, detected the intrusion on Sunday, June 8, and DINUM issued a public statement the following day.

What Is Tchap

Tchap is France's government-built alternative to commercial messaging apps. Developed by DINUM in collaboration with ANSSI starting in 2018, the platform runs on the open-source Matrix protocol and was designed from the ground up for exclusive use by the French public sector.

Its significance grew considerably in August 2025, when Prime Minister François Bayrou issued a directive mandating the use of Tchap and banning foreign applications for all work communications across the civil service. The goal was straightforward: keep government communications on infrastructure France controls. By the time of the breach, the platform had accumulated over 300,000 monthly active users.

That backdrop makes the breach more than a routine security incident. A platform built on digital sovereignty principles has now become the subject of a major account hijacking investigation.

How the Tchap Data Breach Unfolded

DINUM confirmed that the attacker accessed Tchap through a compromised user account. Once inside, the threat actor was able to read conversations and access data shared within the platform. The breached account has since been identified and blocked, with DINUM stating the move removed the attacker's persistent access and allowed forensic analysis to begin.

A threat actor claimed responsibility over the weekend, saying they obtained the account through social engineering. The attacker stated they targeted the education shard of the platform, specifically matrix.agent.education.tchap.gouv.fr, and used that foothold to pull data from across the system.

The claimed haul is substantial. The attacker says they scraped approximately 650,000 messages and extracted information on over 73,000 accounts, including email addresses, organisation details, meeting links, and account and device metadata. They also claim to have retrieved over 13.5GB of documents and media files shared by public servants through the service.

DINUM has not confirmed or denied those figures. The investigation remains ongoing.

A Critical Gap in the Platform's Architecture

Beyond the volume of data allegedly taken, the attacker pointed to what they described as a structural vulnerability in how Tchap handles shared media. According to their claims, any file ever shared on the platform across any server shard can be downloaded without authentication once the media ID is obtained from a message. The implication is that access to a single account was enough to reach files stored across the broader infrastructure.

DINUM has not addressed this specific claim. However, the directorate did issue a reminder to all Tchap users that public chat rooms are accessible to any registered user and that their content is not encrypted. Users were told that personal, sensitive, or confidential information should never be exchanged in public rooms and must be kept to private channels.

Data Protection Authority Notified

DINUM has formally notified France's data protection regulator, the CNIL, of the incident. That notification reflects the potential exposure of personal data shared by users in conversations the attacker may have been able to read.

The attacker also claimed that hardcoded LDAP credentials were exposed through a PowerShell script shared by a regional director at a French tax authority, though this has not been independently confirmed by DINUM.

A Pattern Forming in France

The Tchap data breach comes weeks after a separate incident involving ANTS, France's agency for managing official identity and registration documents. French authorities detained a 15-year-old in connection with that breach, in which data stolen during an April cyberattack was placed for sale online.

Two significant government security incidents in rapid succession raise broader questions about the resilience of French public sector digital infrastructure, particularly as France has invested heavily in building sovereign platforms to reduce dependence on foreign technology. The breach of a platform specifically designed for secure government communication adds an uncomfortable irony to those efforts.

DINUM says it continues to analyse event logs to determine exactly which conversations and files the attacker accessed. No timeline has been given for when the investigation will conclude.