Tchap, the encrypted messaging platform established by the French government for its civil servants, faced a significant breach on June 7, 2026. The incident was detected by ANSSI, France’s cybersecurity agency, which revealed that the breach stemmed from a compromised user account rather than a complex technical exploit. This straightforward attack highlights vulnerabilities that can arise from social engineering tactics.
The attacker, who took responsibility for the breach, claimed to have infiltrated the education shard of Tchap, specifically targeting matrix.agent.education.tchap.gouv.fr. Their announcement detailed a concerning discovery: nearly 650,000 messages, data from over 73,000 accounts—including email addresses and device metadata—and approximately 13.5GB of documents and media files were allegedly scraped during the breach.
In a particularly alarming twist, the attacker asserted they had found hardcoded LDAP credentials that were inadvertently leaked through a PowerShell script shared by a regional director of the French tax authority. This revelation raises questions about the security practices within government agencies.
DINUM, the French Digital Affairs Directorate, attempted to mitigate concerns following the breach. They emphasized that private conversations on Tchap are end-to-end encrypted, meaning that even with a compromised account, historical private messages remain secure. The agency stated, “At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker’s persistent access and allow for a thorough analysis of the data they were able to access.”
The focus now shifts to what information was accessible through the compromised account. Tchap differentiates between public chat rooms, which are open to all users and unencrypted, and private rooms that are designed to be secure. While the attacker’s access was theoretically confined to public content, the sheer number of users—300,000 monthly, many of whom are civil servants—raises the stakes. The contents of these public rooms could still contain sensitive information.
In response to the breach, DINUM notified France’s data protection authority, CNIL, about the potential exposure of personal data. They also reminded Tchap users of the importance of understanding the nature of public rooms. “In accordance with Tchap’s terms of service, no personal, sensitive, or confidential information should be exchanged in public chats; these exchanges must be reserved for private conversations,” the agency stated. This reminder, however, feels somewhat reactive, akin to placing a warning sign after an incident has already occurred.
The timing of this breach is particularly noteworthy. In August 2025, Prime Minister François Bayrou mandated the use of Tchap for all civil servants, effectively banning foreign applications for work communications. This shift has made Tchap a more appealing target for cyber threats, especially given its rapid adoption without a corresponding investment in security measures. The investigation into the breach is ongoing, and the implications for Tchap’s security framework may be profound.
