A Tchap breach has put France’s government messenger under scrutiny. On June 7, an attacker compromised a user account on the state-run encrypted platform. DINUM, the agency behind Tchap, says it identified and blocked the account.
Tchap is no ordinary chat app. France built it on the open-source Matrix protocol as a secure messenger for public-sector employees. Hundreds of thousands of civil servants, ministers and military staff rely on it daily. So any intrusion touches government communications directly. ANSSI flagged the activity quickly, which limited the damage window.
What the Tchap breach exposed
However, the attacker tells a bigger story than the government does. The threat actor shared files with BleepingComputer and claims roughly 14GB of documents and data from public Tchap rooms. The claimed haul also includes hardcoded LDAP credentials, email addresses, meeting links and organizational details.
Officials frame the Tchap breach as contained. DINUM says the compromise came from an account takeover. Specifically, its statement describes a controlled intrusion handled in coordination with ANSSI, France’s national cybersecurity agency. Still, investigators are mapping the full scope.
One detail matters for every user. The government reminded staff that public chatrooms on Tchap do not carry end-to-end encryption. As a result, anything posted there was always readable to a logged-in account.
Why this stings for a sovereign messenger
France promoted Tchap as proof that governments can run secure communications without Big Tech. Because of that, even a contained breach hands ammunition to critics of state-built platforms. The timing hurts too, while European institutions push staff toward sovereign tools.
Of course, governments keep colliding with platform security questions. Tech My Money recently covered Ofcom’s child-safety crackdown on Meta, Snap and Roblox, and the Tchap incident shows regulators face the same hard problems inside their own walls.
