Overview The French government’s encrypted messaging platform, Tchap, has suffered a security breach after hackers hijacked a legitimate user account to gain unauthorized access. The incident, confirmed by DINUM (the Digital Affairs Directorate) and ANSSI (the French Cybersecurity Agency), raises serious concerns about identity compromise and data exposure within government collaboration systems.
What is Tchap?
Developed in 2018 by DINUM and ANSSI, Tchap is an instant messaging and collaboration tool built on the decentralized Matrix protocol, designed exclusively for the French public sector.
- Secure Messaging Platform → Used by civil servants for official communication.
- Government Mandate → Prime Minister François Bayrou banned foreign apps for work use in August 2025.
- User Base → Over 300,000 monthly users and 500,000 downloads on Google Play.
Tchap was intended to be a secure alternative to commercial messaging apps like WhatsApp and Telegram — but this breach shows that even government‑grade systems are not immune to social engineering.
How the Attack Happened
According to DINUM’s press release, ANSSI detected the breach on Sunday, after a threat actor used a compromised user account to access Tchap.
| Attack Vector | Description |
|---|---|
| Account Hijacking | A valid user account was compromised through social engineering. |
| Persistent Access | The attacker maintained access until the account was blocked. |
| Data Exposure | Conversations and shared files may have been accessible to the attacker. |
DINUM immediately blocked the affected account and began analyzing event logs to determine which conversations and data were exfiltrated.
Threat Actor Claims
A threat actor has claimed responsibility for the breach, sharing samples of stolen files and asserting that they gained access via a social engineering attack on an education sector account (matrix.agent.education.tchap.gouv.fr).
They claim to have stolen:
- Hardcoded LDAP Credentials from a PowerShell script shared by a regional tax director.
- 13.5 GB of documents and media files shared by public servants.
- 650,000 messages and 73,000 account records, including email addresses, meeting links, and device metadata.
The attacker also claimed that “every file ever shared on Tchap is downloadable without a token,” suggesting a potential authorization flaw in the platform’s media handling system.
Data Protection and Response
DINUM has alerted the CNIL (Data Protection Authority) due to possible personal data exposure. All Tchap users were reminded that:
- Public Chat Rooms are not encrypted and can be joined by any user.
- Sensitive Information should only be shared in private rooms.
The incident highlights the importance of user education, access control, and encryption scope awareness in government communication systems.
Lessons for Secure Messaging Design
This breach underscores key principles for secure messaging architecture:
- Enforce Multi‑Factor Authentication to reduce account hijacking risk.
- Audit Access Logs regularly for anomalies.
- Encrypt All Data Scopes — not just private rooms.
- Implement Zero‑Trust Principles to limit lateral movement after compromise.
- Train Users on Social Engineering — human error remains the weakest link.
Expert in the Cloud Insight
The Tchap breach is a reminder that identity security is the new perimeter. Even encrypted platforms can be undermined by credential theft and social engineering. For governments and enterprises alike, the focus must shift from “encrypt everything” to “verify everyone.”
In the era of decentralized communication and AI‑driven collaboration, trust must be continuously validated — not assumed.
Leave a Reply