Tchap, France’s government-mandated Matrix-based secure messaging platform used by approximately 300,000 public servants, was breached via social engineering against an education shard employee account. The attacker claims exfiltration of 650,000 messages, 73,000 account records, and 13.5GB of files. A second alleged vulnerability — unauthenticated access to all media files platform-wide via guessable media IDs — if confirmed, would extend exposure to every user on every government shard. DINUM and ANSSI confirmed the breach on 2026-06-09.