Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: matrix (1 article)Clear

French government messenger Tchap breached, hitting 73,000 public servants

France's government messaging platform Tchap, the in-house, Matrix-based app that civil servants are required to use instead of WhatsApp or Signal, was breached after a threat actor hijacked a single user account, no software exploit needed. The cyber agency ANSSI detected it on June 7. Officials say data tied to about 73,000 accounts, roughly 9 percent of users, was exposed: the attacker scraped everything shared in public chat rooms, which are not encrypted, while private end-to-end conversations stayed protected. The haul includes over 13.5GB of documents and media plus hardcoded LDAP credentials leaked in a PowerShell script. Entry was via the education ministry's server.

Check
Review what your organization shares in unencrypted public or group chat channels, and scan scripts and config files for hardcoded credentials like the LDAP secret exposed in this breach.
Affected
Around 73,000 French public-sector Tchap accounts; data posted in unencrypted public chat rooms was exposed, while end-to-end-encrypted private conversations were not. The entry point was one hijacked account.
Fix
Enforce phishing-resistant MFA so single accounts cannot be hijacked, remove hardcoded credentials from scripts, treat public chat rooms as non-confidential, and monitor for bulk data access across collaboration platforms.