France built a sovereign messenger to replace WhatsApp and Telegram in public service. National servers, open-source protocol, end-to-end encryption, cybersecurity agency co-developing. In September 2025, it became mandatory for all civil servants. A year later, a single account compromised via social engineering exposed data on 73,467 public agents. Infrastructure sovereignty doesn't protect against compromised credentials.
What happened
On June 7, 2026, a compromised user account was detected on Tchap. This was not a server vulnerability. This was not a cryptographic break. It was account takeover — the attacker obtained access to legitimate credentials via social engineering.
On June 8, DINUM published a statement. On June 9-10, the Paris prosecutor opened an inquiry and DINUM filed a formal complaint. The account was identified and blocked.
What the government confirms as exposed: name, email, organizational entity, and avatar of the 73,467 affected agents — less than 9% of the 825,000 registered users and 300,000 monthly active users, per DINUM. Public rooms, unencrypted by design, were accessible. DINUM states that encrypted private conversation history was not accessible even with the compromised account.
What the attacker claims — and none of these claims have been independently verified by DINUM: approximately 643,000 messages scraped, 876 rooms accessed, 59,000 media files totaling 13.5 GB, 90 instances of "Diffusion Restreinte" classification found in public rooms, LDAP credentials hardcoded in a PowerShell script, and media files downloadable without authentication tokens.
The separation between confirmed facts and unverified claims is fundamental. The French government confirmed directory data exposure and access to public rooms. The rest remains allegation.
Unencrypted public rooms: not a bug, it's architecture
Tchap has public rooms that are not encrypted by design. This is not a vulnerability — it's an architectural decision. But civil servants shared sensitive information in these public rooms, against official policy. According to the attacker, 90 instances of "Diffusion Restreinte" classification appeared in public rooms — a claim not verified by DINUM.
DINUM attributes responsibility to users. The problem: in a government messenger, architecture should prevent human error from becoming a security incident. If information is sensitive enough to be on the platform, it should be sensitive enough to be encrypted by default. Leaving public rooms unencrypted and then blaming users for sharing sensitive information in them transfers to the user a decision that should be technical.
One compromised account, 73,000 affected
Tchap uses a federated architecture by shard — each ministry runs its own homeserver. The compromised account was on the Education shard. If the attacker's claim holds, the directory search function would have allowed enumerating users across ministries.
This is the critical point: shards should be isolated. If they are not, federation becomes the expansion vector. A compromised account at the Ministry of Education should not allow discovering users at the Ministry of Defense or Finance. Federation, which is the strength of the Matrix protocol, becomes the amplification vector when access controls between shards are insufficient.
Infrastructure sovereignty doesn't substitute for security
France did everything "right" according to the digital sovereignty playbook: national servers, open-source protocol, end-to-end encryption via Olm/Megolm, national cybersecurity agency co-developing, locally hosted infrastructure. And yet, a single account compromised via social engineering exposed data on 73,000 public agents.
Infrastructure sovereignty protects against foreign jurisdiction, traffic interception by intelligence services, and dependency on international providers. It does not protect against an employee clicking a phishing link. It does not protect against reused credentials. It does not protect against social engineering.
These are different layers. Sovereignty is about where data resides and who has jurisdiction. Security is about how data is protected against threats. Confusing the two is one of the most expensive mistakes a cybersecurity strategy can make.
This is not the first incident. The French government suffered an attack on the Interior Ministry's email servers in December 2025 and a breach at the ANTS portal in April 2026. This is the third government incident in 6 months — and the first on Tchap. The pattern is clear: the recurring vector is credential compromise, not infrastructure vulnerability.
What this means for organizations
The Tchap case demonstrates that hosting data nationally or on sovereign infrastructure is a necessary condition, not a sufficient one. The security chain is not as strong as its strongest link — it's as strong as its weakest link. And the weakest link, repeatedly, is the user.
At Tech86, we help organizations implement security awareness that goes beyond compliance — we simulate social engineering attacks, train teams to recognize credential compromise vectors, and build security culture as continuous practice. Because when the account is compromised, server sovereignty won't save you.