Over 73,000 French govt employees affected in Tchap messenger breach
by Sergiu Gatlan · BleepingComputerThe French government revealed that a recent breach of its Tchap encrypted messaging platform affects the accounts of over 73,000 employees in the French public sector.
DINUM, the French government's digital affairs directorate, disclosed on Monday that a threat actor gained access to the Tchap platform using a compromised user account and notified France's data protection authority (CNIL) due to the potential exposure of personal data shared by some users.
While it initially shared almost no details about what was exposed and how many people were affected by this breach, the DINUM disclosed in a subsequent update that the attackers may have accessed information shared by around 9% of all registered users on the platform.
DINUM explained that while private conversations are encrypted and their content protected, the attacker was able to steal all the data shared in public chat rooms, which are not encrypted. This allowed them to collect the users' names and email addresses, as well as their avatar images and the public sector organization they work for.
"Of the more than 825,000 registered agents, 73,467 agents would be affected by this incident, or less than 9% of registered users. These forums, by design, are open to all users and their messages are not encrypted. Officers' private conversations remain protected," it said.
"At this point, the account behind the malicious requests has been identified. It was immediately blocked in order to remove the attacker's persistent access and allow in-depth analysis of the data he was able to access. Potentially exposed data from user accounts concerns at least: last name, first name, email address, belonging entity and avatar."
Although DINUM has yet to attribute this breach, a threat actor claimed responsibility for the attack over the weekend and shared a sample of stolen files, saying they gained access to the platform following a social engineering attack.
The threat actor claimed to have scraped nearly 650,000 messages and information from more than 73,000 accounts, including their email addresses, meeting links, organization information, as well as account and device metadata.
They've also allegedly stolen over 13.5GB of documents and media files shared by public servants using the Tchap service, as well as hardcoded LDAP credentials leaked via a PowerShell script.
Developed by DINUM in collaboration with ANSSI (the French Cybersecurity Agency) in 2018, Tchap is a decentralized collaboration tool and instant messaging platform for the French public sector, based on the Matrix protocol.
After becoming the default app for work communications for all civil servants in early August 2025, Tchap has reached over 300,000 monthly users and now has over 500,000 downloads on Google's Play Store.
In May, French authorities also arrested a 15-year-old suspected of selling data stolen in an April cyberattack on ANTS (Agence nationale des titres sécurisés), the country's agency for issuing and managing official identity and registration documents.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.