preloader

· security france government data-breach digital-privacy europe identity

France’s Sovereign Messenger Tchap Breached via Hijacked Government Account

Source: BleepingComputer

On 7 June 2026, France’s national cybersecurity agency ANSSI detected unauthorised activity on Tchap, the French government’s internal messaging platform. Developed by the state as a sovereign alternative to Slack, Teams, and other foreign-hosted tools, Tchap runs on the open-source Matrix protocol and is designed to keep ministerial and administrative communications on infrastructure managed under French jurisdiction. The breach is therefore not just a data protection incident but a test of the sovereign-technology model France has invested in as a way of reducing exposure to non-European platforms.

How the attacker got in

The entry point was not a vulnerability in Tchap’s software or Matrix infrastructure. The attacker gained access by hijacking a legitimate account associated with Tchap’s education environment. This is a social-engineering compromise, a credential attack rather than a technical one, which means the platform’s architectural controls were not bypassed so much as circumvented by a human factor. The compromised account was identified and blocked once the intrusion was detected, ending the attacker’s persistent access.

What was claimed and what remains unconfirmed

The attacker subsequently claimed to have obtained 73,467 user accounts, 643,459 messages, 876 chat rooms with their full message history, 59,386 media files totalling 13.51 gigabytes, and references to documents carrying the “Diffusion Restreinte” marking, which is the French government’s restricted-distribution classification for sensitive but not classified material.

None of those figures have been independently verified. French authorities have not confirmed the scope of data actually accessed. The gap between what an attacker claims and what was genuinely extracted is often significant, and investigations of this kind typically take weeks to reach firm conclusions. What is confirmed is that a legitimate account was used to query the platform and that malicious activity was detected and stopped.

The French digital affairs directorate notified the data protection authority, the CNIL, in light of the potential personal data exposure, which is the required step under GDPR when a breach involving personal data is suspected.

Why this matters beyond France

Tchap is specifically positioned as a sovereign tool: a platform under French state control, running on French-managed infrastructure, protected from foreign access requests that would apply to US-based SaaS providers under statutes such as the CLOUD Act. The fact that it was compromised through credential theft rather than a technical flaw is a useful reminder that digital sovereignty at the infrastructure level does not eliminate the human attack surface.

For any organisation that has moved to self-hosted or European-sovereign communication tools partly for security reasons, this incident illustrates where the residual risk sits. The platform itself held up. The account management and identity verification processes did not.

Account hijacking through social engineering is the dominant entry method in a large share of modern breaches. Phishing, SIM-swapping, help-desk fraud, and credential reuse across services all fall into this category. Organisations that invest in infrastructure sovereignty but have not proportionately invested in identity security, multi-factor authentication enforcement, privileged access management, and security awareness training are trading one risk posture for another.

What European organisations should take from this

The Tchap incident joins a growing list of European public sector compromises in 2026 where the technical architecture was sound but the identity layer was not. The pattern matters: as European institutions and enterprises move sensitive workloads to sovereign or self-hosted infrastructure, attackers adapt by targeting the people who access those systems rather than the systems themselves.

For organisations managing their own communication infrastructure or running Matrix, Nextcloud, or similar sovereign platforms, the checklist that follows is not theoretical:

  • Multi-factor authentication should be mandatory for all accounts, with hardware tokens or passkeys preferred over SMS-based second factors for accounts with access to sensitive data
  • Privileged accounts, including those used in development, testing, and education environments, should be monitored and scoped to the minimum access they actually need
  • User account activity monitoring should flag anomalous query volumes or access patterns before data has moved, not after
  • Incident response playbooks should include account hijacking scenarios, not just network-level or malware-based attacks

If your organisation is running sovereign or self-hosted communication tools and wants to assess whether your identity and access management controls are adequate, contact Excello Digital. We can help you identify gaps before an attacker does.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!