Tchap Messaging Breach Exposes Data of Over 73,000 French Government Employees

A security breach involving the French government’s encrypted messaging platform Tchap has exposed the accounts and data of more than 73,000 public sector employees, according to France’s digital administration directorate (DINUM).

The incident involved unauthorized access gained through a compromised user account, which allowed a threat actor to infiltrate parts of the platform and extract sensitive information from non-private communication channels.

How the Breach Happened

DINUM confirmed that the attacker used a stolen or compromised account to access the Tchap system. Once inside, the attacker was able to exploit access to public chat rooms, which are not end-to-end encrypted.

While private conversations on Tchap remain protected through encryption, public forums are open by design. Messages in these spaces are not encrypted, making them more vulnerable to scraping and unauthorized access.

The breach was reported to France’s data protection authority, CNIL, after potential exposure of user data was identified.

Scale and Type of Data Exposed

Initially, authorities provided limited details, but later updates clarified the extent of the incident.

Out of more than 825,000 registered users, approximately 73,467 accounts were affected—representing less than 9% of users on the platform.

The compromised data includes:

• First and last names
• Email addresses
• Profile avatars
• Government organization affiliations
• Public chat room messages
• Account and device metadata

DINUM confirmed that private encrypted conversations were not impacted.

Attack Response and Containment

Authorities identified the malicious account used in the breach and promptly blocked it to stop further access. This action also helped terminate the attacker’s persistent presence in the system.

Investigators are continuing to analyze what data may have been accessed and how the breach was executed in detail.

Claims From the Threat Actor

A threat actor has claimed responsibility for the incident, stating that the breach was achieved through a social engineering attack.

According to their claims, they allegedly:

• Scraped around 650,000 messages
• Accessed data from over 73,000 accounts
• Stole email addresses, meeting links, and organizational details
• Collected account and device metadata
• Downloaded approximately 13.5GB of documents and media files
• Obtained LDAP credentials reportedly exposed via a PowerShell script

These claims have not yet been officially confirmed by French authorities.

About Tchap Platform

Tchap is a secure messaging platform developed by DINUM in collaboration with ANSSI, France’s national cybersecurity agency. It is based on the Matrix protocol and was launched in 2018 to support secure communication across the public sector.

The platform became the default communication tool for French civil servants in August 2025 and has since grown to more than 300,000 monthly active users, with over 500,000 downloads on the Google Play Store.

Broader Security Context

The incident comes amid increasing cyberattacks targeting government infrastructure. In a related case earlier in the year, French authorities arrested a teenager suspected of involvement in a separate data theft attack against the country’s identity document agency, ANTS.

The Tchap breach highlights the risks associated with compromised credentials and the vulnerability of non-encrypted communication channels, even within otherwise secure government platforms.