A threat actor social engineered one valid account on Tchap, France's in-house encrypted messaging service for civil servants, then walked away with gigabytes of files and hundreds of thousands of scraped messages. The bigger lesson sits in the architecture: media files were reportedly downloadable without authentication across every shard.
DINUM, the French government's digital affairs directorate, confirmed this week that attackers breached Tchap, the state's encrypted messaging platform, by hijacking a single user account. ANSSI, France's national cybersecurity agency, detected the intrusion on Sunday, and the originating account was identified and blocked to cut off the attacker's persistent access. The investigation is ongoing, with teams combing through event logs to map exactly which conversations were reachable and what data left the building.
Tchap is not an off-the-shelf product. DINUM built it in-house with ANSSI back in 2018, on top of the decentralized Matrix protocol, specifically for the French public sector. Its reach grew sharply after Prime Minister François Bayrou mandated it for all civil servants and banned foreign messaging apps for work communications in early August 2025. The service now counts more than 300,000 monthly users and over 500,000 downloads on the Play Store. That mandate turned a niche government tool into a high-value target almost overnight.
What the attacker says they took
A threat actor claimed responsibility over the weekend, posted a sample of stolen files, and described the entry point as a social engineering attack rather than a software exploit.
"I social engineered a valid account on the education shard (matrix.agent.education.tchap.gouv.fr). Everything below is what that one account could reach, other shards will have more," they wrote. The claimed haul is substantial: hardcoded LDAP credentials allegedly leaked through a PowerShell script shared by a French tax authority regional director, more than 13.5GB of documents and media, nearly 650,000 scraped messages, and metadata on over 73,000 accounts, including email addresses, organization details, meeting links, and device information.
The most damaging claim is architectural. "Every file ever shared on Tchap, on any shard, is downloadable without a token," the actor said. "The media IDs come from the messages. Once you have a message with a media URL you can pull the file freely regardless of which shard hosts it." If accurate, that means authentication gated who could read a conversation, but not who could retrieve the files attached to it. One foothold on the smallest shard becomes a key to media hosted everywhere.
DINUM has not confirmed those specifics. It did alert CNIL, France's data protection authority, citing potential exposure of personal data, and it pushed a notice to all users with a pointed reminder: public chat rooms can be found and joined by anyone, and their contents are not encrypted. Per Tchap's terms of service, no personal, sensitive, or confidential information should be exchanged in public rooms. That warning quietly acknowledges a recurring gap between how a tool is designed to be used and how people actually use it under deadline pressure.
Why one account was enough
The technical lesson here is about blast radius. Encryption protects message contents in transit and at rest, but it does nothing if an attacker simply becomes a legitimate participant. Social engineering sidesteps cryptography entirely by going after the human who holds the credentials.
Matrix's federated, sharded design is meant to compartmentalize. Different government bodies run on different homeservers, so a compromise in one place ideally stays contained. The reported media-access flaw breaks that promise. When media IDs are globally resolvable and unauthenticated, the boundaries between shards stop functioning as security boundaries and become mere organizational labels. Security practitioners have a name for this pattern: a flat trust model hiding behind a segmented one.
The hardcoded LDAP credentials in a shared PowerShell script are a second, depressingly familiar failure. Secrets embedded in scripts and then circulated over chat are one of the most common ways internal directory access leaks. A messaging platform that lets users freely share such files becomes an unintentional credential store, and any account compromise turns into a search problem for the attacker.
Practical takeaways for teams running collaboration platforms
The defensive playbook from incidents like this is consistent. Treat every authenticated session as a potential adversary and gate sensitive actions accordingly. Media and file endpoints deserve the same per-request authorization checks as message reads, not a separate, weaker path. Tokenized, expiring URLs for attachments prevent the "pull any file with its ID" scenario the attacker described.
Segmentation only counts if it is enforced at every layer. Network or shard separation that does not extend to the object storage and media-serving tier offers a false sense of containment. Worth auditing: can a credential valid for one tenant resolve identifiers belonging to another?
For secrets, the answer is to keep them out of chat entirely. Scanning shared files for credential patterns, rotating anything that appears, and steering staff toward a proper secrets manager closes a door that attackers reliably walk through. DINUM's own reminder about public rooms underscores how much sensitive material ends up in places it was never meant to live.
Monitoring is the layer that catches what prevention misses. ANSSI's detection on a Sunday and rapid account blocking is the part of this story that worked, and it is the part that limits the damage when, not if, an account is compromised. Behavioral signals like an account suddenly enumerating thousands of accounts or bulk-downloading media are exactly the anomalies worth alerting on.
The Tchap breach lands in a difficult year for French public-sector security. Last month authorities detained a 15-year-old suspected of selling data stolen in an April cyberattack on ANTS, the agency that issues official identity documents. A government can mandate a sovereign, encrypted tool and still find that the weakest link is a convincing phone call and a misconfigured file server. Sovereignty over your stack does not grant immunity from the basics, and the basics are where this one appears to have gone wrong.
Comments
Please log in or register to join the discussion