French Government Tchap Breach Under ANSSI Investigation; Only Public Chats Affected?

The French government’s encrypted messaging service “Tchap” has suffered an account hijacking by attackers. The National Cybersecurity Agency (ANSSI) detected suspicious activity on June 7 and is currently investigating. According to a report by The Register, the French Digital Affairs Directorate (DINUM) immediately blocked the affected accounts and set up an investigation team.

Authorities describe the scope of the damage as limited. They claim that attackers could only view messages in public chat rooms accessible to all Tchap users, and that private conversations are encrypted and their content inaccessible even if an account is compromised.

However, some have questioned this explanation. A cybercriminal has claimed responsibility for the attack, stating that they obtained a legitimate agent account related to Tchap’s educational environment through “social engineering.” According to a post shared by Dark Web Intelligence, the attacker claims to have accessed over 73,000 user accounts, 643,000 messages, approximately 60,000 media files, and hundreds of chat rooms. Furthermore, they claim that user enumeration was possible through the directory search function, and that the data may have included references to documents classified as “Diffusion Restreinte” (restricted distribution) by the French government.

These claims have not been independently verified, and DINUM’s statement does not mention the exposure of the user directory, restricted documents, or the volume of data cited by the hacker.

Current Status of the Investigation and Response

French authorities have confirmed that investigators are continuing to analyze logs to determine which conversations were actually accessed and whether data was exfiltrated. ANSSI has determined that personal information may have been exposed through content shared in accessible conversations and has notified the French data protection authority (CNIL).

DINUM has stated that it sent a message to all Tchap users, reminding them that “public chat rooms can be found and joined by anyone, and their content is not encrypted.” The government agency emphasized that “in accordance with Tchap’s terms of use, personal information, confidential information, or sensitive information must not be exchanged in public chats.”

Vulnerabilities in Government Communications

This incident highlights a fundamental issue in the security design of dedicated platforms used by government agencies for internal communications. Tchap is a domestically developed encrypted messaging service designed for use by the French government across ministries and public sector organizations. Its original purpose is to protect sensitive internal government communications.

However, the design of public chat rooms contradicts this goal. Public chats are not encrypted and are open to all users. This means that once a malicious actor gains access to an account, they can monitor government officials’ conversations through public chats.

According to The Register’s analysis, Tchap was developed as part of the French government’s recent push for a “sovereign cloud” initiative, but this incident shows that a gap still exists between technical superiority and security design.

Editorial Opinion

This incident underscores a misunderstanding of the term “encryption” within government agencies and the importance of architectural decisions in platform design. The problem with Tchap lies in the asymmetry where private chats are end-to-end encrypted while public chats are in plaintext, allowing the attack to escalate. This demonstrates that deploying encryption technology is not a panacea; it is essential to design systems based on a correct threat model.

In the short term, the French government will likely need to review Tchap’s public chat functionality or strengthen log auditing mechanisms in the event of account compromise. Other government agencies operating similar platforms should also use this as an opportunity to review the boundaries between public and private areas in their communication infrastructure.

From a long-term perspective, there may be a need to reevaluate the very strategy of “digital sovereignty” – developing and operating domestic government messaging platforms instead of commercial services like Google Workspace or Microsoft Teams. Encrypting private chats alone is insufficient; comprehensive security architecture encompassing directory service design, account hijacking detection, and integration with Security Operations Centers (SOCs) is required.

In the wake of this incident, internal communication platforms for government agencies must adopt more advanced security measures, including not only end-to-end encryption but also careful design of public chats and containment of damage when accounts are compromised. Furthermore, with the proliferation of AI tools such as Anthropic’s Claude Mythos and Microsoft’s MarkItDown, new discussions are needed on balancing AI use within government agencies with data protection.

References

• France probes compromise of gov messaging platform after account hijack - The Register — Published 2026-06-09