France's Interministerial Directorate for Digital Affairs (DINUM) has confirmed a security incident affecting Tchap, the encrypted messaging platform used across French government agencies.
The disclosure comes after a threat actor attempted to sell or leak data allegedly stolen from the platform, claiming access to tens of thousands of government user accounts, hundreds of thousands of messages, and thousands of shared files.
According to an announcement by DINUM, the French National Cybersecurity Agency (ANSSI) detected suspicious activity on June 7 and identified a security breach involving account impersonation. Specialized incident response teams immediately launched an investigation to confirm the intrusion, determine its scope, and implement containment measures.
Tchap serves as the French government's official instant messaging platform and is widely used by public-sector employees across ministries and state agencies. Developed under the supervision of DINUM, the service is based on the Matrix communications protocol and was designed to provide a sovereign alternative to commercial messaging platforms for government communications.
DINUM emphasized that private encrypted conversations remain protected despite the intrusion. The agency explained that private chats on Tchap are end-to-end encrypted and that message history from those conversations cannot be accessed solely by compromising a user account.
The organization said the data potentially exposed during the incident is limited to content from public discussion rooms, which are intentionally accessible to all Tchap users and whose messages are not encrypted. Authorities also reminded users that sensitive information, personal data, and content protected by professional secrecy should never be shared in public rooms and should instead be restricted to private, encrypted channels.
DINUM stated that the account used to conduct the malicious activity has been identified and immediately disabled to remove the attacker's access and support a forensic investigation. Analysts are currently reviewing logs to determine which conversations were accessed and whether any information was exfiltrated.
Threat intelligence monitoring platform ThreatMon reported that a threat actor alleged the breach of Tchap and claimed to possess approximately 13.5 GB of internal data collected over nearly three years.
The threat actor claimed to have obtained:
- More than 73,000 government user accounts
- Approximately 643,000 messages
- 876 discussion rooms with message histories
- Nearly 60,000 shared media files totaling around 13.5 GB
The threat actor further alleged that the exposed information included government employee names, official email addresses, ministry affiliations, shared documents, media files, meeting links, device metadata, and communications from inter-ministerial collaboration channels.
At this stage, French authorities have not confirmed the volume or nature of the data described by the threat actor. The government's statement only acknowledges an account breach and warns that content from public, non-encrypted conversations may have been accessible. No evidence has been publicly released to validate the full extent of the claims circulating on cybercrime forums.
Leave a Reply