Over 73,000 French govt employees affected in Tchap messenger breach

The French government confirmed on Monday that a breach of its Tchap encrypted messaging platform exposed the accounts of more than 73,000 public sector employees. DINUM, the government's digital affairs directorate, said an attacker logged in with a compromised user account and pulled data from public chat rooms, which are not encrypted, before being detected and cut off.

The numbers tell a clear story. Of more than 825,000 registered agents, 73,467 were affected, or just under 9% of the user base. DINUM notified France's data protection authority (CNIL) given the personal data involved. "These forums, by design, are open to all users and their messages are not encrypted. Officers' private conversations remain protected," the agency said. The exposed fields include last name, first name, email address, the organization each user belongs to, and avatar images.

That distinction between encrypted private chats and open public rooms is the entire lesson here. Tchap is built on the Matrix protocol, an open standard for decentralized, end-to-end encrypted communication. End-to-end encryption did its job: the content of private conversations stayed sealed even after the attacker got inside. But encryption only protects what it covers. Public rooms are meant to be readable by every authenticated user, so once an attacker holds a valid account, scraping those rooms is not an exploit so much as using the platform as designed. The credential was the key to the whole building.

What the attacker claims to have taken

DINUM has not formally attributed the breach, but a threat actor took credit over the weekend and posted a sample of stolen files, claiming they got in through social engineering rather than a software vulnerability.

The actor's claims go well beyond what DINUM has acknowledged. They say they scraped nearly 650,000 messages and data from more than 73,000 accounts, including email addresses, meeting links, organization details, and account and device metadata. They also claim to have grabbed over 13.5GB of documents and media shared by public servants, plus hardcoded LDAP credentials leaked through a PowerShell script.

That last detail deserves attention from anyone running internal tooling. Hardcoded credentials in a script are a recurring failure across organizations of every size, and LDAP credentials are especially valuable because they often grant directory-wide access to user accounts and group memberships. If that claim holds up, the social engineering that opened the door may have been the smaller problem. Secrets baked into automation scripts give attackers a way to move laterally long after the initial entry point gets patched. The practical takeaway: scripts belong in code review, secrets belong in a vault like HashiCorp Vault or a cloud secrets manager, and credential scanning tools such as Gitleaks or TruffleHog should run against repositories and deployment artifacts before anything ships.

Why Tchap matters as a target

Tchap was developed by DINUM with ANSSI, the French cybersecurity agency, and launched in 2018 as a sovereign messaging tool for the public sector. The goal was straightforward: keep government communications off commercial platforms like WhatsApp and Telegram and on infrastructure France controls. In early August 2025 it became the default work communication app for all civil servants, and it has since climbed past 300,000 monthly users with more than 500,000 downloads on the Play Store.

That adoption curve is exactly what makes it attractive. A single platform holding the directory of an entire government's workforce is a high-value target, and the more central it becomes, the more an attacker gains from one foothold. The breach also lands in a rough stretch for French public infrastructure. In May, authorities arrested a 15-year-old suspected of selling data stolen in an April attack on ANTS, the agency that issues official identity documents.

Practical advice for teams running similar platforms

The defensive playbook here is not exotic, and that is the point. A compromised account did the damage, so the controls that matter are the ones that limit what one stolen credential can reach.

Start with authentication. Phishing-resistant multi-factor authentication, ideally hardware-backed FIDO2 or passkeys, would have raised the cost of the social engineering route considerably. SMS and app-based codes can still be phished or relayed in real time; hardware keys bound to the origin cannot.

Next, watch behavior, not just logins. DINUM did identify and block the malicious account, but the attacker had already scraped data by then. Rate limiting and anomaly detection on bulk read operations would catch a single account pulling hundreds of thousands of messages. Normal users do not download 13.5GB of organizational documents in a session, and that pattern is detectable if someone is looking for it.

Finally, treat public data as exposed data. The names, emails, and organizational affiliations taken here are precisely the raw material for the next round of targeted phishing against French civil servants. Anyone whose details were in those rooms should expect convincing lures referencing real colleagues and real internal context. Security teams should brief affected staff now rather than after the second-stage campaign arrives.

The broader pattern is one that security professionals keep repeating because organizations keep relearning it: encryption protects content, not access. A platform can be cryptographically sound and still hand over a workforce directory the moment one account falls. The defenses that close that gap, strong authentication, behavioral monitoring, and disciplined secrets management, are unglamorous, well understood, and still too often skipped.