Emerging ThreatsData Breaches

French Govt Breach Exposes 73,000 Employees' Data

Analyst 207||Source: BleepingComputer
French government office with computers and furniture, focusing on a blurred communication device login screen.

“Of the more than 825,000 registered agents, 73,467 agents would be affected by this incident, or less than 9% of registered users.”

DINUM: scope of the breach and initial response

France’s digital affairs directorate, DINUM, disclosed that a compromise of the Tchap instant messaging service affected 73,467 public-sector accounts — roughly 9% of the platform’s registered users. DINUM said it notified the country’s data protection authority, the CNIL, and that investigators identified and immediately blocked the account used to make the malicious requests. In its public update DINUM emphasized that private conversations remained protected by encryption while data in public chat rooms had been exposed.

What was exposed: public rooms, user metadata and shared files

DINUM said the attacker was able to steal content from Tchap’s public chat rooms, which are not encrypted by design. According to the directorate, “Potentially exposed data from user accounts concerns at least: last name, first name, email address, belonging entity and avatar.” The threat actor who claimed responsibility produced a sample of stolen material and said they had scraped nearly 650,000 messages and information from more than 73,000 accounts, including email addresses, meeting links, organisation information, and account and device metadata. The actor also claimed to have taken over 13.5 GB of documents and media files shared via the service and to have recovered hardcoded LDAP credentials that had been leaked inside a PowerShell script.

Threat actor claims and the apparent method

DINUM has not attributed the intrusion publicly, but a threat actor posted a claim over the weekend and provided samples. The actor said they gained access following a social engineering attack and that they had scraped messages, account details and files. DINUM confirmed the attack began from a compromised user account that allowed the actor to access public-room data, and said the account used for the malicious requests had been identified and blocked to remove persistent access and allow in‑depth analysis.

Tchap’s origin, design and recent deployment

Tchap was developed by DINUM together with ANSSI, the French cybersecurity agency, and is built on the Matrix protocol. The service was rolled out as the default work communications app for civil servants in early August 2025. Since then, DINUM says Tchap has reached over 300,000 monthly users and has passed 500,000 downloads on Google’s Play Store.

What this means for technologists, policymakers, and public servants

  • Technologists and security teams: expect focused scrutiny on how public, non‑encrypted channels are handled and how a single compromised account can be used to harvest metadata and files from open forums.
  • Policymakers and regulators: CNIL has been notified; regulators will watch the scope of exposed personal data — names, emails, employer details and avatars — and any follow‑up disclosures about the stolen documents and credentials.
  • Public servants and platform users: DINUM’s update distinguishes encrypted private conversations from public-room posts; users whose names and emails appear in public forums should assume those elements were accessible to the attacker.

DINUM’s public timeline shows three immediate actions: identification of the malicious account, its removal, and a commitment to an in-depth forensic analysis. The actor’s public claims — scraped messages, 13.5 GB of files, and leaked LDAP credentials inside a PowerShell script — raise further questions about what confidential material may have been available in public rooms and how such credentials were stored.

One related item in recent reporting: in May authorities arrested a 15‑year‑old suspected of selling data stolen in an April attack on ANTS, the agency that issues official identity and registration documents. That incident was separate from the Tchap disclosure; DINUM has not linked the two in its statements.

For now, DINUM’s confirmation that private conversations remained encrypted frames the immediate risk as a metadata and public‑room content exposure affecting 73,467 agents out of more than 825,000 registered users. The principal unresolved facts are who is behind the intrusion and what proportion of the claimed 13.5 GB of files are sensitive. DINUM’s blocking of the malicious account and the CNIL notification are the concrete steps reported so far; forensic findings and any formal attribution remain to be published.

Source: BleepingComputer — Over 73,000 French govt employees affected in Tchap messenger breach

Data BreachEmerging ThreatsEuropeFranceGovernmentPublic SectorTchapDINUMCNILInstant Messaging
Related Intelligence

Continue Reading

Network device on a rack in a brightly-lit IT infrastructure room.

CISA Mandates Patching of Actively Exploited Ivanti Flaw

Federal agencies are on high alert: a severe vulnerability in Ivanti's Sentry gateway, already exploited by attackers, must be patched within three days to prevent further backdoor attacks. CISA's urgent directive demands swift action to secure vulnerable devices and shield against malicious cyber threats.

Analyst 207
Law enforcement officers surround seized luxury vehicles in a daylight scene.

Europol Disrupts Major Crypto Laundering Service Linked to Ransomware Gangs

Europol's operation has cut off a major crypto laundering service linked to ransomware gangs, freezing hundreds of millions in illicit profits and disrupting a key financial pipeline used by criminals. The crackdown seized over €86,000 in cash, froze €692,000 in cryptocurrency, and took down 25 domains and 30 servers.

Analyst 207
Server room with open cabinet and empty rack space, showing security access panel.

Japanese Utility Exposes 10.9 Million Client Records in Data Loss Incident

A shocking data loss incident has hit Japanese utility company Kyushu Electric Power Co., Inc., with a staggering 10.9 million client records exposed after an external storage device went missing. The device, last seen on April 27, was found to be missing on May 26, sparking a frantic investigation.

Analyst 207
Laptop screen displays data breach notice in government office setting.

Maine Breach Portal Exposed to Fake Data Breach Disclosures

A fake data breach notice was recently submitted to Maine's breach disclosure portal using VRChat's name, but the company quickly reassured fans that their data and systems are safe. The incident highlights a vulnerability in the portal's submission process, which allows anyone to post a breach notice without verification.

Analyst 207