French Government’s Secure Messaging Platform Tchap Breached, 13.51 GB of Data Exfiltrated A threat actor operating under the alias misere has claimed responsibility for compromising Tchap, the encrypted messaging platform used by the French government, allegedly stealing 13.51 GB of sensitive internal data. The breach, detected by France’s national cybersecurity agency (ANSSI) on June 7, 2026, targeted the platform’s education ministry shard (matrix.agent.education.tchap.gouv.fr) via a hijacked user account obtained through social engineering. Developed by the Interministerial Directorate for Digital Affairs (DINUM) and built on the Matrix/Synapse open-source protocol, Tchap was mandated for all French public officials in September 2025 as a sovereign alternative to commercial apps like Signal and WhatsApp. With over 825,000 registered civil servants across ministries, the platform supports end-to-end encryption for private conversations but leaves public chat rooms unencrypted. The attacker exploited Tchap’s non-shard-isolated user directory, allowing them to enumerate 73,467 government accounts across all ministries. From the compromised education ministry account, they scraped 643,459 messages from accessible rooms, 876 discussion channels, and 59,386 media files including 90 instances of "Diffusion Restreinte", France’s restricted government classification level. Exposed data also included internal Zoom and Webex meeting links, device metadata, and communications from key ministries, including Interior, Finance, Defense, Justice, and National Education. DINUM confirmed that the breach exposed personal data such as full names, government email addresses, organizational affiliations, and profile avatars. While private messages remained encrypted, the incident highlighted a critical flaw: public rooms on Matrix-based platforms are accessible to any authenticated user, meaning a single compromised account could harvest vast amounts of sensitive data without exploiting software vulnerabilities. Upon discovery, DINUM blocked the compromised account and launched an investigation with ANSSI. The agency also notified France’s data protection authority (CNIL) and issued a platform-wide alert to users, emphasizing the lack of encryption in public chat rooms. French officials have since maintained that the confidentiality of private messages was not compromised.