Ethical Hacking News
France's government messaging app, Tchap, was breached after a single account was compromised, exposing sensitive information and data from public channels. The breach highlights the vulnerability of government messaging apps to social engineering attacks and underscores the importance of robust security measures.
Tchap, France's government messaging app, was breached after a single account was compromised. The breach exposed sensitive information and data from public channels, highlighting the vulnerability of government messaging apps to social engineering attacks. The attack relied on social engineering tactics rather than sophisticated technical exploits. Over 650,000 messages, information on 73,000 accounts, and 13.5GB of documents were accessed. The breach has raised concerns about the security of Tchap, particularly due to its mandatory adoption at scale without proportional investment in security review.
France's government messaging app, Tchap, has been compromised after a single account was breached, exposing sensitive information and data from public channels. The breach highlights the vulnerability of government messaging apps to social engineering attacks, even when using end-to-end encryption.
The attack occurred on June 7, 2026, when an attacker compromised a user account and used it to access the platform. No sophisticated technical exploit was required; instead, the attacker relied on social engineering tactics to gain unauthorized access. The attacker claimed responsibility over the weekend before France's Digital Affairs Directorate (DINUM) made any official announcement.
The attacker targeted the education shard of Tchap, specifically matrix.agent.education.tchap.gouv.fr, and claimed to have scraped nearly 650,000 messages, information on over 73,000 accounts, including email addresses and device metadata, and over 13.5GB of documents and media files. The attackers also alleged that they had found hardcoded LDAP credentials leaked via a PowerShell script shared by a regional director of the French tax authority.
The breach has raised concerns about the security of Tchap, which was mandated for all civil servants in August 2025 and banned foreign apps for work communications. The app's mandatory adoption at scale, without proportional investment in security review, appears to have contributed to the incident.
DINUM's official statement attempted to downplay the incident, noting that private conversations are end-to-end encrypted and that even with a compromised account, historical private messages remain inaccessible. However, the agency acknowledged that sensitive information may still be accessible through public chat rooms.
Tchap distinguishes between public chat rooms, open to any user and unencrypted by design, and private rooms, which are encrypted. While the attacker's access was theoretically limited to public room content, many users, including civil servants, may not have read the fine print on what public means in this context, potentially exposing sensitive information.
France's data protection authority, the CNIL, has been notified of the potential exposure of personal data, and DINUM has sent a reminder to all Tchap users about how public rooms work. The incident serves as a reminder that even with end-to-end encryption, security measures must be in place to prevent unauthorized access.
The breach is also seen as a wake-up call for government agencies to reassess their cybersecurity practices. Mandatory adoption of technology without proportional investment in security review can lead to vulnerabilities like the Tchap breach.
In conclusion, the Tchap breach highlights the importance of robust security measures, even when using end-to-end encryption. Government agencies must prioritize security and invest in proper oversight and testing to prevent similar incidents.
France's government messaging app, Tchap, was breached after a single account was compromised, exposing sensitive information and data from public channels. The breach highlights the vulnerability of government messaging apps to social engineering attacks and underscores the importance of robust security measures.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Tchap-Breach-A-Cautionary-Tale-of-Government-Messaging-App-Security-ehn.shtml
https://securityaffairs.com/193393/security/frances-government-messaging-app-tchap-got-breached.html
Published: Wed Jun 10 18:02:20 2026 by llama3.2 3B Q4_K_M
