The MyTT mobile application, published by Tunisie Telecom, was the target of a cyberattack on Saturday, May 23, 2026. Beyond the incident itself, which was quickly contained according to the operator, the affair offers a case study on two questions that are increasingly central for Tunisian companies and institutions: the security of their digital channels and how they communicate in a crisis.
What happened
On May 23, many Tunisie Telecom subscribers received, via the MyTT app, a notification whose content was unrelated to the platform’s usual purpose — normally dedicated to commercial offers, Internet services and billing reminders. Screenshots of this notification quickly circulated on social media, triggering numerous reactions.
At first, the operator spoke of simple maintenance work and performance improvements for the application.
Then, in a second statement published that same evening, Tunisie Telecom acknowledged that the MyTT application had been the subject of a cyberattack. The company said that it had been detected at the earliest moments and neutralized thanks to its protection and monitoring systems, and assured that the attack had had no impact on data integrity nor on the continuity of services for customers. The operator also stated that the notification received by some customers was not related to its activity or to the app’s purpose.
At this stage, the assessment of the incident depends on the operator’s statements. No independent technical source has published findings confirming or clarifying the exact scope of the attack, its origin, or its modalities.
A logical target, a threat that takes hold
That a national operator is subject to attack attempts is, in itself, not exceptional. Telecom infrastructures around the world are among the most coveted targets because of the number of users they reach and the sensitivity of the services they operate.
Large organizations are targeted almost continuously, and the relevant question is usually not whether if an attack will occur, but how it will be detected and contained.
This incident fits into a broader trend clearly documented by official figures. According to the National Agency for Cybersecurity (ANSI), Tunisia recorded 57,430 cyber attacks during the first half of 2025 alone, while the entire year 2023 had recorded nearly 150,000.
The progression is even more telling over time: the number of incidents reported to ANSI had already surged by more than 146% in 2022, rising from 63,000 in 2021 to more than 155,000. Financially, losses inflicted on Tunisian businesses by cyberattacks were estimated, as early as 2020, at more than one billion dinars.
International security vendors confirm this intensification. Kaspersky’s 2024 report notes more than 23 million threats detected and blocked in Tunisia over the year, with a 140% surge in ransomware — rising from 15,411 attacks in 2023 to 37,076 in 2024.
These indicators cover distinct realities — detected attacks, declared incidents, automatically blocked threats — and they do not sum up. But all point in the same direction: increasing exposure affecting large institutions as well as SMEs and individuals. The country is therefore not an isolated case, and the MyTT incident is not a world-shaking event.
The real lesson: the notification channel as a point of vulnerability
Perhaps the most instructive aspect of this episode is technical. A mobile application that users associate with mundane tasks — checking an invoice, activating an offer — actually has a powerful channel: push notifications, capable of instantly reaching hundreds of thousands of devices. This channel, valuable for customer service, becomes a risk once it can be hijacked.
And it is precisely on this ground that the MyTT episode raises an important question. For a national operator, facing intrusion attempts is part of daily life: the challenge is to detect, contain, and block them before they produce a visible effect for users. In the MyTT case, the incident did have a concrete effect: an unusual notification did reach the screens of many subscribers.
Tunisie Telecom says it detected and neutralized the attack at the earliest moments.
One point still remains to be publicly clarified: how could this message be disseminated despite the protection and monitoring systems mentioned by the operator? In the absence of an independent technical report, the real extent of the incident — a simple glitch quickly corrected, limited access to a notification tool, or a more serious compromise of the dissemination channel — cannot be publicly established.
For any organization operating a consumer-facing application, the lesson is clear: notification and messaging systems must be protected with the same level of rigor as customer databases. This requires strict access controls, strengthened authentication for administrator accounts, auditing of sensitive actions, and the ability to rapidly cut a compromised channel.
The value of a flaw is not measured only by the data it exposes, but also by the reach of the message it allows to disseminate.
The other lesson: crisis management
The MyTT incident illustrates a second lesson, often underestimated: when an incident is visible to the public, communication counts almost as much as the technical response.
The two-step sequence — an initial explanation focused on maintenance, followed by acknowledgment of the cyberattack — fueled comments and the spread of information on social networks. The experience, in Tunisia as elsewhere, shows that an incident broadly visible to the public is very hard to minimize: screenshots circulate within minutes, and a gap between the first version and perceived facts tends to undermine trust even more than the incident itself.
Crisis management best practices converge on a few principles: quickly acknowledge what is observable, communicate factually and consistently, avoid stating what is not yet established, and keep the public informed of developments. A clear and accountable response protects a organization’s reputation better than an initially incomplete explanation.
What users can take away
For the general public, this episode is an opportunity to recall a few simple reflexes that apply to any online service.
The first precaution is to beware of notifications, messages, or emails with unusual content, even when they come from a seemingly trustworthy source, and never click on suspicious links.
Next come deeper protections: enable two-factor authentication on sensitive accounts where available, keep apps and the operating system up to date — security patches remaining one of the best defenses against known vulnerabilities — and use distinct passwords for the most important services.
None of these measures is spectacular, but their combined effect significantly reduces the surface an attacker can exploit.
The MyTT incident, as described by the operator, did not result in a data breach or a lasting disruption of services. In that sense, it is more of a signal than a seismic event.
In a context where cyber threats are advancing year by year, the country’s digital resilience will depend as much on the technical robustness of systems as on the management and security culture of organizations and citizens.
