What Happened
France’s national cybersecurity agency ANSSI detected a security incident on June 7, 2026 involving Tchap, the French government’s mandated encrypted messaging platform. A threat actor gained access by hijacking a valid public servant account through social engineering, then used that access to extract data from public chat rooms — spaces that are not end-to-end encrypted. The attacker exfiltrated over 13.5 GB of documents and media files shared by civil servants, and also discovered hardcoded LDAP credentials embedded in a PowerShell script, which were exposed in one of the chat rooms.
The attacker claims to have accessed 73,000 user accounts, 643,000 messages, and nearly 60,000 media files. France’s government digital agency DINUM has confirmed a breach and notified the national data protection authority CNIL, but has not confirmed the attacker’s claimed scope. Tchap has been mandatory for all French public officials since September 2025 and serves over 825,000 registered civil servants across all major ministries.
Why This Matters for Canadian Organizations
The Tchap incident illustrates a pattern that Canadian federal agencies face directly: a single compromised employee account in a centrally mandated collaboration platform becomes a gateway to sensitive government communications and shared documents. Canada’s federal government relies on Microsoft Teams for inter-agency communication, and a significant portion of daily operational communication — including sensitive briefing materials, policy drafts, and contractor exchanges — passes through Teams’ persistent channels and file-sharing functions. Not all of this content is equivalent to a classified document, but much of it carries breach notification obligations under Treasury Board policies and PIPEDA.
The hardcoded LDAP credentials found in this incident reflect a persistent problem in government environments: developers and administrators embed service credentials in scripts, then share those scripts through collaboration channels. A single accessible chat room becomes a credential store. Canadian IT teams operating on GCKey-adjacent platforms or within Government of Canada Microsoft 365 tenants should audit shared channels and document libraries for any embedded credentials, API keys, or connection strings. The CCCS has previously noted that social engineering of government employees is a primary initial-access vector for both criminal and state-sponsored actors targeting federal networks.
What to Do
Review your organization’s messaging platform for public or semi-public channels containing shared scripts, configuration files, or documentation with embedded credentials. Rotate any credentials found. Enforce phishing-resistant MFA on all employee accounts accessing collaboration platforms — this incident began with an account takeover that stronger authentication would have blocked. Classify chat rooms and channels according to the sensitivity of information shared in them, and apply access controls accordingly. Brief employees that public-facing channels in government messaging tools are not a safe place for sensitive documents, even when the platform is officially mandated. Canadian federal departments should also review the Treasury Board Directive on Security Management as it applies to approved communication tools and data classification requirements.
Original reporting: BleepingComputer
