France's government secure messaging platform Tchap has been compromised, according to a disclosure confirmed by French officials after France's National Cybersecurity Agency (ANSSI) detected suspicious activity and the French Digital Affairs Directorate (DINUM) opened an investigation. Officials contend the exposure was limited to public chat rooms, while a threat actor claims access to far more: over 73,000 user accounts, roughly 643,000 messages, nearly 60,000 media files, and hundreds of chat rooms. The gap between the two narratives is now the central question of the incident.
What Happened
The chain began when ANSSI flagged suspicious activity on Tchap, the Matrix-based messaging application built for French public officials and civil servants. DINUM took over the investigation and, in its initial assessment, concluded the attacker reached only public chat rooms accessible to any Tchap user. That framing was quickly disputed. A cyber criminal stepped forward claiming responsibility and provided detailed figures that contradict the official account, asserting a far broader compromise of accounts, messages, and stored media. Investigators are still working through server logs to establish the true scope, and the two versions of events have not yet been reconciled.
What Was Taken
The threat actor claims to have pulled a substantial trove: more than 73,000 user accounts, approximately 643,000 messages, close to 60,000 media files, and hundreds of chat rooms. Most concerning, the actor alleges the data includes documents marked "Diffusion Restreinte," a French government restricted-distribution classification, which would place sensitive official material in the exposure. The actor also claims that user enumeration was possible through a directory search function, meaning attackers could confirm which officials hold accounts. French officials counter that private conversations remain encrypted even when an account is compromised and were not exposed, while acknowledging to data protection watchdog CNIL that personal information in public chat rooms may have been affected.
Why It Matters
Tchap exists precisely because France wanted government communications off commercial platforms and under national control. A breach of that platform, whatever its final scope, undercuts the core value proposition of a sovereign secure-messaging system. Even the government's own limited-exposure narrative concedes that personal data tied to public rooms was affected and warranted a regulator notification. If the threat actor's claims hold, the presence of restricted-distribution documents and a working user-enumeration path would elevate this from a privacy incident to a national security concern, exposing both the identities of officials and the contents of their work. For defenders everywhere, the episode is a reminder that "secure" platforms still carry conventional application-layer risk in their directory services, room permissions, and metadata.
The Attack Technique
The precise intrusion vector has not been confirmed, and investigators are still parsing logs. The strongest technical detail so far is the actor's claim that a directory search function enabled user enumeration, which points to abuse of legitimate application features rather than a break in the underlying encryption. That pattern, harvesting accessible public rooms and enumerable user data through intended functionality, would explain how officials can maintain that private end-to-end encrypted conversations stayed protected while the actor simultaneously claims a large haul. The dispute over volume likely turns on how much content was reachable through public rooms and exposed directory functions versus genuinely private channels.
What Organizations Should Do
- Audit directory and user-search features for enumeration risk, and rate-limit or restrict lookups that let outsiders confirm account existence at scale.
- Treat public or semi-public channels as exposed by default; keep restricted-distribution and classified material out of any room that is not strictly access-controlled.
- Preserve and centralize logs before an incident happens so scope can be established quickly when detection tools raise an alert.
- Verify that end-to-end encryption actually protects message contents even under account compromise, and confirm what metadata remains readable outside that protection.
- Notify data protection regulators early when personal data may be involved, following the transparency posture France adopted with CNIL.
- Reinforce to users that public chat rooms carry real exposure risk and should never be used for sensitive discussion.
Sources: French Government Hacked! Tchap Messaging App Compromised - What You Need to Know (2026)
TWEET: Tchap breached; actor claims 73K accounts, 643K messages, 60K media files. France says only public rooms hit. Full breakdown: https://wasteland.me/intel/french-government-tchap-breach #CyberSecurity #ThreatIntel