www.it-connect.fr
Tchap Cyberattack: Hacker Breaches French State Encrypted Messaging Service
Tchap, the instant messaging service reserved for French public-sector employees and integrated into LaSuite, was targeted by an intrusion! Another blow to the State’s digital services with this new security incident confirmed by the Interministerial Digital Directorate (DINUM). Here is what we know.
As a reminder, Tchap is the encrypted instant messaging service for the public sector, designed and managed by the French government. Tchap is presented as an alternative to solutions such as Slack, Discord and, in a sense, Microsoft Teams. Employees can communicate in private rooms or chat with one another via private conversations. The Tchap app is part of a suite of tools called LaSuite, which is now used monthly by more than 400,000 active users.
An intrusion detected by ANSSI through a compromised account
The alert was raised at the end of the weekend. On June 7, 2026, the French National Cybersecurity Agency (ANSSI) detected abnormal activity on Tchap, following the compromise of an employee account. This incident was confirmed by DINUM after attracting attention on social media, notably because the hacker made claims on the Dark Web.
"At this stage, the account behind the malicious requests has been identified. It was immediately blocked in order to remove the attacker’s persistent access and allow a thorough analysis of the data that may have been accessed.", DINUM explains in its press release.
The attacker therefore got hold of an employee account, which gave access to that person’s Tchap workspace. Although nothing is specified on this point, it is likely that the account was stolen through infostealer malware or a phishing campaign.
What is the real impact on exfiltrated data and messages?
From the employee’s account, the hacker gained access to all private conversations, as well as the public rooms that this employee could access. Put like that, it is hard to imagine how many messages that may represent. However, according to the hacker’s claims on the Dark Web, they allegedly obtained more than 643,000 messages exchanged over the past 3 years, involving a total of 70,000 State employees.
Although DINUM has not confirmed these figures, it did clarify how data is organized in Tchap:
- Private conversations: they are encrypted. Even in the event of identity theft, the history of private encrypted exchanges remains technically inaccessible. The agency emphasizes this point: "Employees’ private conversations remain protected."
- Public conversations: these are forums or public rooms that, by design, are open to all Tchap users and are not encrypted.
"Investigations are ongoing, particularly through the analysis of event logs, to identify the conversations the attacker may have accessed and the nature of the data exfiltrated.", DINUM adds.
If there was a data export, the most exposed and usable data would mainly be from public conversations. According to DINUM, private messages are encrypted and therefore unreadable by the hacker, except for the messages they may have viewed by using the employee’s Tchap account.
DINUM also sent a message to all employees to remind them of the platform’s golden rule, namely: "In accordance with Tchap’s terms of use, no personal, sensitive, or professionally confidential information should be exchanged there: such exchanges must be reserved for private rooms."
Finally, it is important to understand that Tchap was not hacked directly. This is not a software vulnerability, but rather the compromise of an account that provided legitimate access to the platform. One question remains, however: was multifactor authentication enabled on the employee’s account?
