TL;DR: The Tchap incident in June 2026 showed that encrypted private chats remained protected after a user account compromise, while 73,467 users’ names, emails, organisations and avatars were exposed through public rooms, according to SSH Communications Security. The lesson is that messaging security depends on identity, room design and access boundaries, not encryption alone.
At a glance
What this is: A compromised Tchap user account exposed data in public rooms while encrypted private chats stayed protected, showing that encryption alone does not define the security boundary.
Why it matters: IAM, IGA and platform security teams need to treat room structure, identity assurance and access scoping as first-class controls because exposed metadata can still create operational and privacy risk.
👉 Read SSH Communications Security's analysis of the Tchap incident and secure messaging boundaries
Context
Tchap is a government messaging platform built on Matrix, which separates public rooms from encrypted private conversations. The security question is not whether encryption exists, but which identity-controlled spaces allow exposure outside that boundary.
For organisations that rely on secure internal communication, this is an IAM and governance problem as much as a cryptography problem. If user permissions, room design and deployment controls are loose, sensitive information can leak even when encrypted channels remain intact.
Key questions
Q: How should organisations limit damage when a messaging account is compromised?
A: Limit damage by separating communication into distinct room classes, reducing visible metadata and applying stronger identity assurance to sensitive spaces. The goal is to ensure that compromise of one account does not reveal broad organisational context or allow movement into higher-risk coordination channels. The account should inherit only the minimum exposure needed for its role.
Q: Why can encrypted messaging still expose sensitive information?
A: Encrypted messaging can still expose sensitive information when public rooms, profile data and access permissions sit outside the encrypted boundary. Encryption protects message content in the protected channel, but it does not stop a compromised identity from reaching unencrypted spaces or revealing metadata that supports targeting, reconnaissance or social engineering.
Q: What do security teams get wrong about secure collaboration platforms?
A: Teams often assume that strong encryption is enough, when the real risk is exposure through identity scope and room design. If public channels, metadata and operational discussions share the same platform without strict governance, compromise of one account can still produce significant leakage even when private chats remain safe.
Q: Who is accountable for securing communication spaces that mix encrypted and public rooms?
A: Accountability sits with the organisation that defines identity policy, room structure and access governance for the platform. Security, IAM and platform owners need shared ownership because a messaging system is only as secure as its boundaries, metadata controls and the permissions granted to each identity.
Technical breakdown
Public rooms versus encrypted chats in Matrix-based messaging
Matrix supports different conversation types, and that distinction matters. End-to-end encrypted chats protect message content only within the encrypted room, while public rooms expose metadata and content according to room policy. In a government environment, the platform must therefore manage not just message confidentiality but room membership, visibility and the handling of profile data. If a user account is compromised, the attacker inherits whatever that account can reach, including non-encrypted spaces that may still contain sensitive operational context.
Practical implication: Treat public-room exposure as an access-control problem, not a cryptography failure.
Identity boundaries and access scope in secure collaboration platforms
A secure messaging platform is an identity system with communication features. The account, its permissions and its verified context determine what the user can see, join and disclose. When identity assurance is weak or access scope is broad, compromise of a single account can reveal more than conversation text, including names, organisations and other metadata that often becomes intelligence for further targeting. Governance must therefore define which identities may access which spaces and under what assurance level.
Practical implication: Map room-level access to identity assurance and reduce default reach for compromised accounts.
Why encryption does not replace operational control
Encryption protects data in transit and at rest inside the protected channel, but it does not decide where users place information or how a platform routes conversations. Operational control covers deployment model, room classification, default sharing behaviour and incident containment. In mission-critical environments, those layers define whether a platform remains usable after a compromise or becomes a source of further exposure. The Tchap incident shows that secure communication architecture must separate routine collaboration from sensitive coordination.
Practical implication: Design communication zones with explicit classification, not with one shared trust model for all rooms.
Threat narrative
Attacker objective: The attacker sought to harvest information available through accessible rooms without breaking encryption or the underlying Matrix protocol.
- Entry occurred through a compromised user account, giving the attacker legitimate access to the messaging platform.
- Escalation came from moving within the account’s permitted surface area into public, unencrypted rooms rather than encrypted private chats.
- Impact was the exposure of user metadata for 73,467 people, including names, email addresses, employing organisations and avatar images.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Encrypted messaging is not an identity boundary. The Tchap incident shows that encryption can remain intact while a compromised account still exposes valuable data through public rooms. That means the real trust boundary is identity plus room governance, not the presence of encrypted transport alone. Practitioners should judge secure messaging platforms by how sharply they separate communication types.
Room structure is a governance control, not a user convenience feature. If public rooms can contain personal data or sensitive operational detail, the platform has already blurred the security model. Access design must distinguish general collaboration from protected coordination, because a single compromised account can inherit whatever that structure permits. The implication is that room taxonomy needs policy treatment, not just product configuration.
Communication blast radius: the scope of exposure is defined by what a compromised account can reach, not by what the encrypted channel protects. That assumption fails when platforms mix metadata-rich public spaces with private channels under one identity. The implication is that identity teams must measure reachable exposure, not only cryptographic strength.
Mission-critical messaging needs least exposure, not merely strong encryption. Governments and regulated operators should expect attackers to exploit the unencrypted edges of an otherwise secure system. When platform design leaves those edges broad, the security story shifts from confidentiality to containment. Practitioners should therefore treat secure messaging as an IAM, deployment and governance discipline.
Identity assurance must extend to the spaces a user can enter. Verification of who is signing in is only the starting point. The question for the programme is what that identity is allowed to reveal, join and infer once inside the platform. Secure communication policy should be enforced at the room level, not left to user behaviour.
From our research:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
- For a broader breach lens, see 52 NHI Breaches Analysis, which maps real compromise patterns to governance failures.
What this signals
Communication platforms are now identity surfaces, not just collaboration tools. The Tchap incident is a reminder that security leaders need to govern room topology, metadata exposure and identity assurance as one control plane. That is especially true where public and private communication coexist in the same system.
With two-thirds of enterprises already reporting successful attacks from compromised non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities, the broader lesson is that access scope is the real blast radius. Messaging platforms should be assessed with the same seriousness as any other identity-enabled system.
Communication blast radius: this is the practical measure of how far a compromised identity can travel across room types, metadata fields and operational channels. Programme owners should use that lens to decide which spaces need tighter identity verification, stronger classification and sharper containment boundaries.
For practitioners
- Define room classification policy Separate general collaboration, operational coordination and sensitive crisis communication into distinct room classes with different access rules and retention expectations. Align the classification with who can join, what metadata is visible and which rooms are encrypted.
- Reduce metadata exposure by default Review which profile fields and organisation details are visible in public spaces, and remove anything that does not have a clear operational need. Minimise the value of a compromised account by limiting what it can reveal outside encrypted chats.
- Bind access to stronger identity assurance Use higher-assurance identity verification for privileged or mission-critical communication spaces, especially where sovereignty or crisis response is involved. Keep access conditions explicit so that a compromised low-assurance account cannot traverse into higher-risk rooms.
- Test compromise impact across room boundaries Simulate a single-account compromise and trace which rooms, metadata fields and operational discussions become reachable. Use the findings to tighten permissions before an attacker uses the same path.
Key takeaways
- The incident showed that encryption can hold while identity and room governance fail.
- The exposure was real and measurable, affecting 73,467 users out of more than 825,000 registered accounts.
- The control that matters most is not just encryption, but strict separation of room types, metadata and identity scope.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions and room scoping are central to the exposure path. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the control principle most directly implicated by account compromise. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Compromised identity scope and overexposure align with NHI governance failures. |
| NIST Zero Trust (SP 800-207) | The incident shows why trust boundaries must be explicit and continuously enforced. |
Use NHI-03 to review non-human and platform identities that can traverse sensitive communication boundaries.
Key terms
- Communication blast radius: The amount of information, metadata and operational context a compromised identity can reach inside a messaging platform. It is a practical governance measure, not a cryptographic one. In secure collaboration systems, blast radius is shaped by room design, permissions, visibility rules and identity assurance.
- Room classification: The policy process that separates general collaboration spaces from sensitive or protected communication channels. In practice, it defines which rooms are encrypted, who may join them, what data can be shared there and how visible their membership and metadata should be.
- Identity assurance: The strength of confidence that an identity is who or what it claims to be before access is granted. For messaging platforms, assurance should influence not only sign-in but also which rooms, operational conversations and metadata an account may reach.
- Metadata exposure: The leakage of supporting information such as names, email addresses, organisations or profile images, even when message content remains protected. Metadata often creates reconnaissance value and can be as sensitive as the conversation itself when it reveals relationships and operating structure.
What's in the full article
SSH Communications Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The platform architecture choices that separate encrypted private chats from public rooms and metadata exposure.
- The mission-critical communication features that support on-premises deployment and out-of-band coordination.
- The identity verification options and control assumptions used to strengthen trust in platform access.
- The sovereignty and resilience considerations that matter when communications must remain available during outages or compromise.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org