France's sovereign messenger Tchap hit by account breach

France built its own encrypted messenger so civil servants would not have to trust WhatsApp or Telegram. Now that messenger has been breached, and the government and the attacker cannot agree on how much was taken.

France’s National Cybersecurity Agency, ANSSI, detected a compromise of Tchap on 7 June, and the Digital Affairs Directorate (DINUM), which runs the platform, published an incident notice and moved to block the account involved. Crucially, this was not a crack in the encryption or the infrastructure.

Officials say the attacker got in by hijacking a legitimate user account, a compromise of credentials rather than of the system itself.

The government’s account of the damage is narrow. Tchap, which is built on the open Matrix protocol, carries both public and private conversations, and the private ones are end-to-end encrypted. DINUM says that even when an account is impersonated, the history of those private encrypted conversations stays inaccessible, and that only the unencrypted public chat rooms, which any authenticated user can find and join, may have been viewed.

The 💜 of EU techThe latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!Investigators are still working through the logs to establish exactly which conversations were reached and whether any data was taken. DINUM has notified the data-protection regulator CNIL, since personal information may have been exposed in the content the attacker could see, and reminded users that public rooms are not the place for sensitive material.