If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Brussels and a run of European governments, France loud among them, have spent the past few years treating strong encryption as a problem to be solved. The argument behind proposals like Chat Control is that the state needs a way to scan private messages to keep people safe and that it can be trusted to hold that kind of access without abusing it or losing control of it. But France just handed that argument an awkward rebuttal. Tchap, the messenger the French government built for its own civil servants, got breached. France’s National Cybersecurity Agency, ANSSI, detected the compromise on June 7, and DINUM, the digital affairs directorate that runs the platform, blocked the account involved and published an incident notice. The intrusion broke neither the encryption nor the servers. Someone hijacked a legitimate user account, which is all an attacker needs when any one credential is a key to the same building. That detail is the part the backdoor crowd keeps refusing to absorb. The encryption on Tchap did its job. DINUM says private conversations stay end-to-end encrypted even when an account is impersonated and that the attacker could reach only the unencrypted public chat rooms any authenticated user is able to find. Security researchers were quick to note what that reassurance skips over. An attacker wearing a real user’s identity can see whatever that account sees in the moment, private rooms included. A government backdoor is exactly that, an access path bolted on beside working encryption and France just demonstrated it cannot keep one of those paths shut for a single weekend. DINUM has notified CNIL, the French data protection regulator, because personal information may have surfaced in whatever the attacker viewed. The directorate described its handling of the intrusion in a press release. “At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker’s persistent access and allow for a thorough analysis of the data they were able to access. The investigation continues, including the study of event logs, to identify the conversations that the attacker was able to access and the nature of the exfiltrated data,” DINUM said. The directorate also pushed responsibility back toward its own users, reminding them where the safe lines were supposed to be. “A message has been sent to all Tchap users reminding them that a public chat room can be found and joined by any user and that its content is not encrypted. In accordance with Tchap’s terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms: such exchanges should be reserved for private chat rooms.” A threat actor using the handle Misère tells a far bigger story. The attacker claims to have reached data tied to roughly 73,000 state agents, 643,000 messages, nearly 60,000 files adding up to about 13.5 gigabytes, hundreds of chat rooms, and around 90 items referencing Diffusion Restreinte, a French restricted-distribution marking, spanning June 2023 through June 2026. “I social engineered a valid account on the education shard (matrix.agent.education.tchap.gouv.fr). Everything below is what that one account could reach, other shards will have more,” they wrote. The attacker also described pulling files at will. “Every file ever shared on Tchap, on any shard, is downloadable without a token,” they added. “The media IDs come from the messages. Once you have a message with a media URL you can pull the file freely regardless of which shard hosts it.” None of those figures have been confirmed. ANSSI and DINUM have said nothing about restricted documents, directory exposure, or any of the volumes the attacker cited, and French security analysts have kept the numbers out of their breach trackers while independent confirmation is missing. Hold that against what Tchap was built to be. DINUM and ANSSI launched it in 2019 as a French-hosted alternative to WhatsApp, Telegram, and Slack, so government communication would not sit on foreign-controlled services. A state that cannot keep one civil-service messenger out of a social-engineering attack is lobbying for a standing ability to read the private messages of hundreds of millions of people and to store whatever it scans somewhere. Every backdoor is a new door and every door is something Misère, or the next handle, gets to try. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post France’s Own Hack Is the Best Argument Against Its War on Encryption appeared first on Reclaim The Net.