TL;DR: The Tchap incident in June 2026 showed that encrypted private chats remained protected after a user account compromise, while 73,467 users’ names, emails, organisations and avatars were exposed through public rooms, according to SSH Communications Security. The lesson is that messaging security depends on identity, room design and access boundaries, not encryption alone.
NHIMG editorial — based on content published by SSH Communications Security: Tchap incident analysis and secure messaging architecture
Questions worth separating out
Q: How should organisations limit damage when a messaging account is compromised?
A: Limit damage by separating communication into distinct room classes, reducing visible metadata and applying stronger identity assurance to sensitive spaces.
Q: Why can encrypted messaging still expose sensitive information?
A: Encrypted messaging can still expose sensitive information when public rooms, profile data and access permissions sit outside the encrypted boundary.
Q: What do security teams get wrong about secure collaboration platforms?
A: Teams often assume that strong encryption is enough, when the real risk is exposure through identity scope and room design.
Practitioner guidance
- Define room classification policy Separate general collaboration, operational coordination and sensitive crisis communication into distinct room classes with different access rules and retention expectations.
- Reduce metadata exposure by default Review which profile fields and organisation details are visible in public spaces, and remove anything that does not have a clear operational need.
- Bind access to stronger identity assurance Use higher-assurance identity verification for privileged or mission-critical communication spaces, especially where sovereignty or crisis response is involved.
What's in the full article
SSH Communications Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The platform architecture choices that separate encrypted private chats from public rooms and metadata exposure.
- The mission-critical communication features that support on-premises deployment and out-of-band coordination.
- The identity verification options and control assumptions used to strengthen trust in platform access.
- The sovereignty and resilience considerations that matter when communications must remain available during outages or compromise.
👉 Read SSH Communications Security's analysis of the Tchap incident and secure messaging boundaries →
Encrypted messaging and identity boundaries: what Tchap exposed?
Explore further
Encrypted messaging is not an identity boundary. The Tchap incident shows that encryption can remain intact while a compromised account still exposes valuable data through public rooms. That means the real trust boundary is identity plus room governance, not the presence of encrypted transport alone. Practitioners should judge secure messaging platforms by how sharply they separate communication types.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable for securing communication spaces that mix encrypted and public rooms?
A: Accountability sits with the organisation that defines identity policy, room structure and access governance for the platform. Security, IAM and platform owners need shared ownership because a messaging system is only as secure as its boundaries, metadata controls and the permissions granted to each identity.
👉 Read our full editorial: Tchap breach shows why encrypted messaging needs tighter identity boundaries