The French government's Tchap messaging platform suffered a breach where a threat actor used a compromised user account to access data shared in public chat rooms. While private conversations are encrypted and were not accessed, the attacker collected personal data from public forums, including names, emails, avatars, and organizational affiliations of over 73,000 users (less than 9% of registered users). The attacker also claimed to have scraped nearly 650,000 messages, 13.5GB of documents and media files, and hardcoded LDAP credentials leaked via a PowerShell script. The compromised account was identified and blocked to prevent further access. The platform is a decentralized collaboration tool based on the Matrix protocol, used by French public sector employees.

The breach exposed personal information of over 73,000 French public sector employees, including names, email addresses, avatars, and organizational affiliations. Additionally, a large volume of messages, documents, media files, and sensitive credentials were stolen. Although private conversations remained encrypted and protected, the exposure of public forum data and credentials could facilitate further targeted attacks or social engineering. The breach affects the confidentiality of user data shared in public channels and may impact trust in the platform.

The compromised account responsible for the breach was identified and immediately blocked to remove persistent access. An in-depth analysis of accessed data is ongoing. No official patch or fix is indicated since the breach resulted from a compromised user account rather than a platform vulnerability. Organizations using Tchap should review account security policies, enforce strong authentication measures, and monitor for suspicious account activity. Users should be informed about the breach and advised to be vigilant for phishing or social engineering attempts. Check for updates from DINUM or ANSSI for further remediation guidance.