France built Tchap to pull official conversations away from foreign messaging apps. A threat actor now claims they breached that government-only platform and stole 13.5GB of data.
The alleged breach affects the internal messaging and collaboration tool used by French public sector workers, according to TechRadar Pro. French cyber officials have confirmed a security incident involving a stolen valid account, but the full scope of exposed data remains under investigation.
France wanted controlled chats. A stolen account put Tchap under scrutiny
A cybercriminal using the alias “misere” claimed on a dark web forum that they accessed Tchap through social engineering and exfiltrated 13.5GB of data from the service.
The claimed haul is large: 73,467 user accounts, 643,459 messages, 876 chat rooms with message history, and 59,386 shared media files. The actor also claimed access to discussion rooms involving personnel from multiple French ministries.
That claim has not been fully verified by French authorities. But ANSSI, France’s cybersecurity agency, confirmed that Tchap suffered a security breach and said early reports pointed to a valid account being stolen.
DINUM, the French government’s digital affairs directorate, said it is investigating. The agency has also blocked the account linked to malicious requests, according to related reporting on DINUM’s public response.
“At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker's persistent access and allow for a thorough analysis of the data they were able to access,” DINUM said in a Monday press release cited by BleepingComputer.
Tchap was built by DINUM and ANSSI for French public administration. It is available only to users with a .gov address and has more than 300,000 monthly users, along with more than 500,000 downloads on Google Play Store.
The timing cuts against Tchap’s purpose. In 2025, Prime Minister François Bayrou banned foreign chat apps such as WhatsApp and Signal for work communication, directing government employees toward Tchap instead.
A secure platform is only as private as the rooms users choose
The most important technical split is not whether Tchap is encrypted in the abstract. It is where encryption applies.
ANSSI said private conversations in the app are encrypted. Public conversations are not.
That distinction now matters. If the attacker accessed public rooms, message history, shared media, user metadata, meeting links, or organizational details could be exposed depending on the account’s permissions and what rooms it could reach.
The attacker claimed the initial access came through an education-sector account on matrix.agent.education.tchap.gouv.fr. They also claimed that one account’s reach was limited, while other “shards” could expose more. That part remains an allegation.
The claimed breach also raises a sharper question about file handling. The actor alleged:
“Every file ever shared on Tchap, on any shard, is downloadable without a token.”
French officials have not publicly confirmed that claim. If accurate, it would shift the incident from account hijacking into a broader authorization problem around shared media. If false or overstated, the damage may be narrower and tied to what the hijacked account could view.
Here is the immediate contrast for Tchap users:
- Before: Tchap was the approved state-backed alternative for official chats after foreign apps were banned for work use.
- After: French agencies must prove that stolen credentials did not expose sensitive public-sector conversations beyond the compromised account’s normal reach.
- Before: Private chat encryption was the main assurance.
- After: Public room exposure, media access, account metadata, and user behavior are now the pressure points.
- Before: Centralized official tooling reduced reliance on commercial messaging.
- After: Centralization also concentrates trust in access controls, room permissions, and identity security.
This is the same basic tension that shows up in collaboration software far outside government: picking the approved tool does not solve sprawling workflows or sloppy access patterns. XOOMAR has covered that problem in workplace software decisions such as ClickUp vs Notion: The Task Tool Wins When Work Sprawls and Notion AI vs Coda AI: Teams Risk Picking Wrong Tool. Tchap’s case is more sensitive, but the failure mode is familiar: one trusted workspace can become a broad data map if identity and permissions fail.
Gigabytes sound dramatic. The contents decide the damage
The claimed 13.5GB figure will draw attention, but volume alone does not measure harm.
The real severity depends on the mix of data. Stale public-room chatter is one thing. Active meeting links, ministry affiliations, device metadata, contact details, credentials, attachments, or operational discussions are another.
The threat actor claimed to have stolen hardcoded LDAP credentials from a PowerShell script shared by a French tax authority regional director. That claim is also unverified by French officials in the supplied material, but it is exactly the kind of detail investigators will have to test quickly because credentials can turn a messaging breach into a wider access problem.
DINUM has alerted CNIL, France’s data protection authority, due to the potential exposure of personal data. It also warned all Tchap users that public rooms can be found and joined by any user and that public-room content is not encrypted.
That warning lands awkwardly. A platform built for official communication still relies on users understanding which spaces are private, which are public, and what type of information belongs in each.
Analysis: The breach claim exposes a governance gap as much as a technical one. If public servants treated public rooms as safe because the platform itself was government-backed, Tchap’s encryption model may have been misunderstood at the user level.
French investigators now need logs, samples, and a clean answer on media access
The next phase is verification.
Investigators will need to validate any data samples shared by the threat actor, map them against Tchap logs, identify which rooms the compromised account entered, and determine whether the attacker still has any access. DINUM has already said it is studying event logs to identify the conversations the attacker could access and the nature of any exfiltrated data.
Several questions remain open:
- Timing: When did the intrusion begin, and how long did the attacker have access?
- Scope: Were only public rooms exposed, or did the attacker reach protected conversations through the hijacked account?
- Files: Is the claim about tokenless media downloads accurate?
- Accounts: Were any government credentials, meeting links, or device metadata usable beyond Tchap?
- Containment: Was blocking the identified account enough, or will wider credential resets and access reviews be needed?
The broader pressure is clear. France moved official communication toward a domestic, government-controlled tool to reduce reliance on foreign apps. If the Tchap breach claim is confirmed at scale, officials will have to show that the platform’s architecture, user training, and incident response can match the political trust placed in it.
The watch item now is not just whether 13.5GB was stolen. It is whether French authorities can prove exactly what the attacker could reach, close any media-access gap if one exists, and convince public-sector users that “approved” does not mean safe by default.
Impact Analysis
- Tchap was designed to keep French government communications off foreign messaging platforms.
- A stolen valid account raises concerns about social engineering risks inside sensitive public-sector systems.
- Authorities have confirmed an incident, but the full scope of exposed government data is still under investigation.
Originally published on XOOMAR. For more news and analysis, visit XOOMAR.
Top comments (0)