### Tchap Breach Rocks French Government Communications **DINUM**, the digital affairs directorate of the French government, has issued a warning regarding a significant security incident impacting **Tchap**, the nation's encrypted messaging platform. Hackers reportedly gained unauthorized access to the system by compromising a user account. Developed in-house by **DINUM** in collaboration with **ANSSI** (the French Cybersecurity Agency) in 2018, **Tchap** is an instant messaging service and collaboration tool built on the decentralized **Matrix protocol**. It is exclusively designed for the French public sector. The platform has grown substantially, now boasting over 300,000 monthly users and more than 500,000 downloads on **Google's Play Store**. This widespread adoption followed Prime Minister **François Bayrou**'s mandate in early August 2025, which required all civil servants to use **Tchap** for work communications and banned foreign messaging applications. ### Official Response and Data Protection Concerns **DINUM** disclosed on Monday that **ANSSI** first detected the breach on Sunday. The threat actor's access was confirmed to be through a compromised user account. In response, the French digital affairs directorate has formally alerted **CNIL**, France's data protection authority. This action underscores the potential exposure of personal data shared by users in conversations that the attacker might have accessed. All **Tchap** users have also been notified, with a crucial reminder that public chat rooms are accessible to any user and are not encrypted. "At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker's persistent access and allow for a thorough analysis of the data they were able to access. The investigation continues, including the study of event logs, to identify the conversations that the attacker was able to access and the nature of the exfiltrated data," **DINUM** stated in a Monday press release. The directorate further emphasized, "A message has been sent to all **Tchap** users reminding them that a public chat room can be found and joined by any user and that its content is not encrypted. In accordance with **Tchap**'s terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms: such exchanges should be reserved for private chat rooms." ### Attacker Claims and Alleged Data Haul While **DINUM** has not released further specifics, a threat actor claimed responsibility for the incident over the weekend. They shared a sample of allegedly stolen files and indicated that they gained access through a social engineering attack. "I social engineered a valid account on the education shard (matrix.agent.education.tchap.gouv.fr). Everything below is what that one account could reach, other shards will have more," the attacker stated. The threat actor claims to have exfiltrated hardcoded **LDAP** credentials, allegedly leaked via a **PowerShell** script shared by a French tax authority regional director. Furthermore, they allege the theft of over 13.5GB of documents and media files exchanged by public servants using the **Tchap** service. Their claims also include scraping nearly 650,000 messages and information on over 73,000 accounts. This data reportedly encompasses email addresses, organization details, meeting links, and account and device metadata. The attacker also highlighted a significant vulnerability: "Every file ever shared on **Tchap**, on any shard, is downloadable without a token. The media IDs come from the messages. Once you have a message with a media URL you can pull the file freely regardless of which shard hosts it." ### Ongoing Investigation and Past Incidents Requests for comment from **DINUM** regarding the incident did not receive an immediate response. This incident follows a recent cybersecurity event in France last month, where authorities detained a 15-year-old suspected of selling data stolen in an April cyberattack on **ANTS** (Agence nationale des titres sécurisés), the country's agency responsible for official identity and registration documents.