The National Agency for the Security of Information Systems (ANSSI) detected a security breach on the Tchap platform, an instant messaging service for the French public sector. A threat actor accessed the platform using a compromised user account.
In early August 2025, Prime Minister François Bayrou mandated that civil servants use Tchap and banned foreign work communication applications. The Directorate for Interministerial Digital Affairs (DINUM), which developed Tchap with ANSSI in 2018, notified the National Commission on Informatics and Liberty and all registered Tchap users about the security incident.
DINUM stated the account originating the malicious requests was identified and blocked to remove the attacker's access. An investigation is ongoing to analyze accessible data and identify conversations the attacker viewed and the nature of any exfiltrated data. "At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker's persistent access and allow for a thorough analysis of the data they were able to access. The investigation continues, including the study of event logs, to identify the conversations that the attacker was able to access and the nature of the exfiltrated data."
DINUM sent a message to Tchap users reminding them that public chat rooms are not encrypted and that any user can find and join them. Tchap's terms of service state that personal, sensitive, or confidential information should not be exchanged in public chat rooms and should be reserved for private chat rooms. "A message has been sent to all Tchap users reminding them that a public chat room can be found and joined by any user and that its content is not encrypted. In accordance with Tchap's terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms: such exchanges should be reserved for private chat rooms."
A threat actor claimed responsibility for the incident and shared a sample of stolen files. The actor stated they gained access following a social engineering attack. "I social engineered a valid account on the education shard. Everything below is what that one account could reach, other shards will have more." The actor claims to have stolen hardcoded Lightweight Directory Access Protocol (LDAP) credentials, which were allegedly shared via a PowerShell script by a regional director at a French tax authority.
The threat actor claims to have stolen over 13.5 gigabytes of documents and media files shared by public servants on the platform. They also claim to have scraped nearly 650,000 messages and data on over 73,000 accounts, including email addresses, organization information, meeting links, and metadata. The actor stated that files shared on Tchap, on any shard, are downloadable without a token. "Every file ever shared on Tchap, on any shard, is downloadable without a token. The media IDs come from the messages. Once you have a message with a media URL you can pull the file freely regardless of which shard hosts it."
No independent assessment was available for this report.