A single compromised account let an attacker scrape directory data from France's sovereign government messenger, because the platform's public chat rooms sat outside its end to end encryption guarantee.
Tchap's end-to-end encryption worked exactly as designed. That is the part that should worry every government IT shop that bought a "secure messenger" without reading the room labels.
When a single French government employee's account was compromised through social engineering last week, the attacker did not need to break any cryptography. The platform's public chat rooms, where roughly 9 percent of all Tchap users had profile data visible by default, handed over 73,467 names, email addresses, and employing organizations without a fight, according to BleepingComputer's reporting on DINUM's disclosure.
DINUM, France's interministerial digital directorate, runs Tchap as the sovereign messaging platform for the French public sector. Its promise is end-to-end encryption. That promise held where it was applied. Private conversations and direct messages stayed sealed. The failure was scope, not cryptography.
The exposed data came from public rooms only. Last names, first names, email addresses, employing organizations, and avatars were visible to anyone inside those rooms by design. The attacker used a single compromised credential to enumerate the public-channel membership and pull the data out.
Around 9 percent of the roughly 825,000 registered Tchap users were caught in the scrape. That is a directory-grade exposure, not a content breach. No private message bodies were read. The threat actor's own claims of 650,000 scraped messages and 13.5 GB of files sit outside what DINUM has confirmed and remain to be verified.
DINUM has blocked the compromised account and notified CNIL, France's data protection authority. The investigation is early, and any CNIL follow-up notice will sharpen the picture, especially on whether the compromised account was privileged and what conditional access, if any, was enforced at login.
The lesson is structural. "Encrypted messaging" has become a label applied to platforms, not to specific data flows within them. Tchap drew the line at room type: private rooms encrypted, public rooms plaintext. Directory-grade data sat in the plaintext zone. One social-engineered account was enough to walk out with a workforce inventory.
For every CISO and digital minister reading the disclosure, the audit question is no longer "is our messenger encrypted?" It is "which rooms, which fields, which defaults, and which accounts sit outside that protection, and what is the blast radius if any one of them is compromised?" Encryption coverage has to match data sensitivity, not channel type. Otherwise the next Tchap is one phishing email away.