Sign in Subscribe
5 min read

Tchap breached: how France's "secure" government messenger was compromised — and why it was always vulnerable

Share
Tchap breached: how France's "secure" government messenger was compromised — and why it was always vulnerable

Cybersecurity · Breach analysis | 9 June 2026 · 6 min read

France mandated Tchap for all 73,000+ public officials to protect state communications. A single stolen account later, 643,000 messages are allegedly on the dark web. Here is how it happened, what the app actually protects — and what it doesn't.

By the numbers

73,000+state agents potentially exposed
643,000messages claimed on dark web
976discussion rooms accessed
13.5 GBfiles allegedly downloaded

What happened

On the night of Sunday 8 June 2026, France's National Agency for Information Systems Security (ANSSI) detected a "compromise of the Tchap service following an account theft." A single user account had been stolen and weaponised. The attacker used it to silently sweep through Tchap's public conversation rooms, harvesting messages, user directories, shared files, and organisational metadata — before being identified and blocked.

The Interministerial Digital Directorate (DINUM) was quick to clarify: private, end-to-end encrypted conversations were not accessible. But "public rooms" — the collaborative spaces used for inter-departmental discussion — are not encrypted, and their full contents appear to have been exposed. The specialist site FrenchBreaches reported dark web claims of over 643,000 messages, 59,000 shared files (≈13.5 GB), and data covering nearly three years of platform activity, from June 2023 to June 2026.

⚠️ DINUM has not yet confirmed the number of compromised accounts or validated the dark web claim figures. The breach scope described below reflects what FrenchBreaches reported from attacker claims — not confirmed official data.

The breach timeline

April 2019 — Tchap launches and is bypassed within one hour by a security researcher who registers with a non-government email via an email-parsing flaw (CVE-2019-11340). Patched the same day.

August 2025 — Matrix Foundation discloses two high-severity protocol vulnerabilities (CVE-2025-49090, CVE-2025-54315) affecting room state control and room ID generation — both relevant to Tchap's federated architecture. Patches issued.

September 2025 — French government mandates Tchap for all public officials, citing "growing risk of interception." User base significantly expanded across all ministries and administrations.

March 2026 — FrenchBreaches flags an earlier dark web claim alleging database access to Tchap — possibly a precursor or separate incident. Security community raises alert.

8 June 2026 — ANSSI detects active compromise. A stolen account is being used to scrape public rooms. Account identified and blocked. DINUM notifies the CNIL (France's data protection authority).

9 June 2026 — DINUM issues public statement. Confirms E2E-encrypted private chats are intact. Does not confirm how many accounts were affected. Investigation ongoing.

What Tchap actually is — and how it works

Tchap is a fork of Element (formerly Riot), built on the open-source Matrix protocol. It was developed by DINUM specifically because mainstream apps like Signal, WhatsApp, and Telegram were deemed unsuitable for government use — their servers are outside French control, their encryption cannot be independently audited, and data would leave the country. Tchap was designed to solve all three problems: self-hosted, open-source, and based on a protocol that had been cryptographically reviewed by NCC Group.

Private / direct messages — End-to-end encrypted using the Double Ratchet Algorithm. Even Tchap's own servers cannot read these. Confirmed not exposed in this breach.

Public rooms (salons publics) — Not end-to-end encrypted. Accessible to all platform users. This is where the breach occurred — these rooms functioned as open inter-departmental discussion spaces.

Federated architecture — Each ministry runs its own Matrix homeserver. Federation allows cross-ministry communication — but also means a compromise in one part of the network can expose activity across the wider graph.

Identity verification — Access is limited to .gouv.fr and similar government email domains. The 2019 bypass exploited a flaw in email validation logic — the current breach used a legitimate, stolen credential instead.

The vulnerability layers

🔴 Account takeover as attack vector — EXPLOITED JUNE 2026

The attacker did not break encryption or exploit a software flaw — they stole a valid user account and logged in as a legitimate civil servant. This gave them the same access as any other user: full visibility into all public rooms that account could see. Account theft bypasses E2E encryption entirely because the attacker is the authorised user, from the platform's perspective. Phishing, credential stuffing, or malware on an endpoint are the most likely vectors.

🟡 Public rooms are unencrypted by design — ARCHITECTURAL RISK

Tchap's public rooms operate like open forums — readable by anyone on the platform with a valid account. This is a deliberate design choice for inter-departmental collaboration, but it means that one compromised account grants read access to potentially years of professional communications across hundreds of government workgroups. DINUM's own guidance states that "no sensitive, confidential, or professionally privileged information" should ever be shared in these spaces — a policy that 73,000 civil servants must consistently follow for the architecture to be safe.

🔵 Historic email bypass — CVE-2019-11340 — PATCHED (2019)

On launch day in 2019, a researcher discovered that Tchap's email validation logic — using Python's email.utils.parseaddr — could be tricked by a malformed address like attacker@evil.org@gouv.fr. The parser stripped the legitimate domain and sent the validation token to the attacker's address, granting full platform access. Patched within hours, but it illustrates how identity-gating logic can be circumvented at the input layer rather than the encryption layer.

🟡 Matrix protocol — CVE-2025-49090 & CVE-2025-54315 — HIGH SEVERITY, PATCHED AUGUST 2025

In August 2025 — just weeks before France expanded Tchap to all civil servants — the Matrix Foundation disclosed two high-severity protocol-level vulnerabilities. CVE-2025-49090 allowed a malicious administrator to reset room state, potentially hijacking control of communication channels. CVE-2025-54315 raised concerns about room ID predictability. Patches required a coordinated ecosystem update (Room Version 12). Whether Tchap's servers were fully patched before the September 2025 expansion is not confirmed publicly.

The real damage: what was exposed

The technical breach is one thing. The intelligence value of what was harvested is another. Even without accessing private messages, an attacker who can read three years of public room discussions across 976 government workgroups gains:

  • Organisational maps of French ministries — who talks to whom, which departments collaborate, who holds which role
  • Full government email addresses of 73,000+ officials
  • The topics, tone, and timing of inter-departmental coordination
  • Shared documents, images, and 13.5 GB of files from collaborative spaces
  • Enough context to craft highly convincing spear-phishing messages targeting specific officials by name, department, and known colleagues

This is the profile of a state-level intelligence harvest, not just a data breach. Even if no single message contained classified content, the aggregate — who, with whom, about what, and when — is operationally valuable to any hostile actor.

The deeper problem: digital sovereignty vs. security theatre

Tchap was built to solve a real problem: France's government communications were flowing through foreign-owned, proprietary, unauditable systems. The logic was sound. The execution produced a platform that is genuinely more transparent and sovereign than WhatsApp or Telegram — but whose security ultimately depends on the human layer: the civil servants who must never put sensitive information in public rooms, who must use strong credentials, and who must not be phished.

Mandating Tchap for 73,000 officials in September 2025 was a policy of scale without a corresponding investment in that human layer. Mass rollout without mandatory hardware MFA, without systematic credential hygiene training, and without real-time monitoring of anomalous account behaviour turns a technically sound architecture into a large, predictable attack surface.

💡 The encryption held. The protocol (mostly) held. What failed was account security — the oldest, most human vulnerability in cybersecurity. A key lesson: sovereign infrastructure is not the same as secure infrastructure.

What should happen now

DINUM has notified the CNIL as required under French data protection law. ANSSI is investigating. The compromised account has been blocked. But the structural questions remain unanswered: the existence of unencrypted public rooms, the lack of mandatory MFA, the timing of the Matrix protocol patches relative to the September 2025 expansion, and the adequacy of monitoring for a platform now used by the entire French civil service. The breach is controlled. The architecture's vulnerabilities are not.

Sources: DINUM official statement (9 June 2026); FrenchBreaches; Brinztech breach alert (March 2026); The Record / Recorded Future; CSO Online; Matrix Foundation security disclosures (CVE-2025-49090, CVE-2025-54315); Threatpost; Medium/@fs0c131y (2019); element.io Tchap case study.

Published by:

The CyberDiplomat

Member discussion