The French government revealed that the latest breach of the encrypted messaging platform Tchap affected the accounts of more than 73,000 employees in the French public sector.
DINUM, the digital news agency of the French government, disclosed on Monday that a threat actor gained access to the Tchap platform using a compromised user account and notified the French data protection authority (CNIL) due to the possible disclosure of personal data shared by other users.
While initially not sharing details about what was exposed and how many people were affected by the breach, DINUM revealed in a subsequent update that the attackers may have accessed information shared by approximately 9% of all registered users on the site.
DINUM explained that although private chats are encrypted and their content protected, an attacker was able to steal all the data shared on public chat rooms, which are not encrypted. This allowed them to collect usernames and email addresses, as well as their avatar images and the public sector organization they work for.
“Out of more than 825,000 registered agents, 73,467 agents will be affected by this incident, or less than 9% of registered users. These platforms, by design, are open to all users and their messages are not encrypted. The private conversations of employees are always protected,” it said.
“Currently, the account behind the malicious requests has been identified. It has been blocked immediately to remove the continued access of the attacker and to allow a deeper analysis of the data he was able to access. The potentially exposed data from user accounts is of least concern: last name, first name, email address, your business and avatar.”
Although DINUM has not yet said if this is related to the breach, the threat actor claimed responsibility for the attack over the weekend and shared a sample of the stolen files, claiming they gained access to the platform following a social engineering attack.
The threat actor said it extracted nearly 650,000 messages and information from more than 73,000 accounts, including their email addresses, meeting links, organization information, and account and device metadata.
They also allegedly stole more than 13.5GB of documents and media files shared with government employees using the Tchap service, as well as hard-coded LDAP credentials leaked via a PowerShell script.
Developed by DINUM in collaboration with ANSSI (French Cybersecurity Agency) in 2018, Tchap is a decentralized collaboration tool and instant messaging platform for the French public sector, based on the Matrix protocol.
After becoming the default workplace communication app for all government employees in early August 2025, Tchap has reached more than 300,000 monthly users and now has more than 500,000 downloads on the Google Play Store.
In May, French authorities also arrested a 15-year-old accused of selling data stolen during an April cyber attack on ANTS (Agence nationale des titres sécurisés), the country’s agency for issuing and managing official IDs and registration documents.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
