France's secure messaging service Tchap suffers from an account breach.

      France developed its own encrypted messaging application so that civil servants wouldn't need to rely on WhatsApp or Telegram. However, this messenger has now been compromised, leading to disagreements between the government and the attacker regarding the extent of the data breach.

      France's National Cybersecurity Agency, ANSSI, identified a breach of Tchap on June 7, and the Digital Affairs Directorate (DINUM), which oversees the platform, issued an incident notice and worked to suspend the affected account. Importantly, this incident did not involve a breach of the encryption or underlying infrastructure.

      Officials indicate that the perpetrator gained access by compromising a legitimate user account, which involves credential theft rather than a flaw in the system itself. The government's assessment of the breach is limited. Tchap, built on the open Matrix protocol, supports both public and private communications, with private conversations being end-to-end encrypted. DINUM asserts that even if an account is impersonated, the history of private encrypted chats remains inaccessible, suggesting that only the unencrypted public chat rooms—available to any authenticated user—might have been accessed.

      Investigators are currently reviewing logs to determine which conversations may have been accessed and if any data was taken. DINUM has informed the data protection authority CNIL, as personal information may have been exposed in the content visible to the attacker, and has advised users that public rooms are not appropriate for sensitive information.

      The attacker presents a much larger narrative. Operating under the alias ‘Misère,’ they claim to have accessed data related to approximately 73,000 state agents, 643,000 messages, nearly 60,000 files totaling around 13.5 gigabytes, numerous chat rooms, and about 90 references to ‘Diffusion Restreinte,’ a French restricted-distribution label valid from June 2023 to June 2026.

      The attacker asserts that their entry was gained through social engineering within Tchap’s educational sector, and that a directory search function allowed them to enumerate users across the platform. These figures, transmitted through dark-web intelligence networks and echoed by French security outlets, have not been confirmed by ANSSI or DINUM, whose communications make no mention of restricted documents, directory exposure, or the cited data volumes.

      Several French information security analysts have deliberately chosen not to include these numbers in their breach trackers due to a lack of independent verification. They remain merely claims made by the attacker, not established facts.

      A technical nuance complicates the government's assurances. End-to-end encryption secures messages while in transit and at rest, preventing the server from releasing past private chats. However, security researchers point out that completely hijacking an individual's logged-in client differs from general access: an attacker impersonating that user can effectively view whatever that account displays in real-time, including private rooms opened at that moment. While encryption remains intact, the impersonation constitutes the vulnerability.

      What amplifies the impact of this incident is the significance of Tchap. DINUM and ANSSI created it as a state-operated, French-hosted alternative to platforms like WhatsApp, Telegram, and Slack, launched in 2019 precisely to ensure that governmental communications would not rely on foreign-controlled services.

      Since 2025, it has been adopted across various ministries, reaching hundreds of thousands of public agents, and it is part of a broader French initiative towards technological independence that has seen Paris shift ministries from Windows to Linux, with Europe increasingly recognizing reliance on foreign technology as a political risk.

      The discrepancy between the claim of ‘a few public rooms’ and ‘73,000 accounts and restricted document references’ will be clarified through log analysis rather than press statements. For a service that promotes the idea that the state can effectively manage its own secure communications, even a limited breach is a significant setback. An explosive, unverified hack claim adds to the narrative that sovereignty skeptics and France's competitors will gladly amplify.