France's Tchap government messenger breached via account takeover — 73,467 civil servants' metadata scraped, CNIL notified

On 7 June 2026 ANSSI detected a compromise of Tchap, the French state's sovereign Matrix-based encrypted messenger used by some 825,000 civil servants across all ministries; DINUM published its disclosure on 8 June (DINUM, 2026-06-08). The attacker obtained a single account on the education shard (matrix.agent.education.tchap.gouv.fr) through account impersonation; the attacker further claims to have used a Tchap directory-search function to enumerate accounts across the service, a mechanism DINUM has not confirmed and which The Register reports as part of a set of unverified attacker claims (Help Net Security, 2026-06-09; The Register, 2026-06-09). DINUM confirms 73,467 agents (under 9% of registered users) had name, first name, email address, employing entity and avatar potentially exposed; private rooms protected by Matrix end-to-end encryption were not accessible from a compromised user account, only public-room content (DINUM, 2026-06-08). The unverified actor additionally claims bulk scraping of ~643,000 messages and ~13.5 GB of media, alleging that any media object is retrievable without an auth token once its media ID is known — an unconfirmed content-repository access-control claim that, if true, would widen the exposure considerably (The Register, 2026-06-09). DINUM has notified CNIL and blocked the account; the investigation is ongoing.