Tchap Breach: Social Engineering Gave Attackers 73K Accounts Without Cracking a Single Login

Attackers compromised a single Tchap account through social engineering and gained entry to France's encrypted government messaging platform. They reached public chat rooms and reportedly claimed access to 73,000 accounts, 650,000 messages, and 13.5 GB of files before ANSSI detected the intrusion on June 7. No malware, no password database theft, and no intercepted tokens were required.

Tchap exists to let French officials exchange sensitive information inside an encrypted environment. The attackers did not break that encryption. They simply convinced someone with legitimate access to hand over control of an account. Once inside, they could read any public rooms the account could reach and potentially pull message history and attached files.

The threat actor later claimed 73,000 accounts, more than 650,000 messages, and 13.5 GB of data. ANSSI's detection came after the fact; the initial foothold required no technical exploit against Tchap itself. Social engineering against the account owner or support process was enough.

What the Attackers Could Actually Reach

Public rooms formed the clearest target. Any conversation not restricted to private channels became visible. Because Tchap is used for coordination across ministries and agencies, even unclassified rooms can contain operational details, contact lists, and scheduling information that aid further targeting.

The 13.5 GB figure suggests the attackers also collected attachments or exported history. Whether they moved laterally into other systems is not confirmed in public reporting, but the messaging platform alone supplied a ready-made directory of government personnel and their day-to-day communications.

Why Legacy Account Protections Failed to Stop the Entry

Even if a time-based OTP or push notification had been in place, it would not have stopped this attack. The social engineering occurred before any authentication step. The attacker did not need to intercept a code or approve a prompt; they needed only to persuade a person or helpdesk to reset or hand over the account. Once the account was theirs, any second factor tied to that account became theirs as well.

Recovery flows remain the weak point in most government identity systems. When the process can be socially engineered, the presence of legacy MFA changes nothing about the initial compromise. The breach succeeded at the account-provisioning layer, not the login layer.

FAQ

Did the attackers need to break Tchap's encryption?

No. They obtained a legitimate account through social engineering, so they never had to defeat the encryption protecting messages in transit or at rest.

How many accounts were actually exposed?

The threat actor claimed 73,000 accounts along with 650,000 messages and 13.5 GB of files. ANSSI has not publicly confirmed those exact numbers.

Would standard MFA on Tchap logins have prevented the breach?

No. The compromise happened through account takeover via social engineering, not through guessing or intercepting credentials at login time.

What data was most valuable to the attackers?

Public chat rooms gave them immediate visibility into government coordination. Attachments and message history added operational context and contact information.

When did ANSSI detect the intrusion?

ANSSI detected the activity on June 7, 2025, after the account had already been used to access chat content.