Chess.com has disclosed a knowledge breach after menace actors gained unauthorized entry to a third-party file switch utility utilized by the platform.
The incident occurred in June 2025, with the menace actors sustaining entry to the stated utility for 2 weeks, between June 5 and June 18.
Chess.com found the breach on June 19, 2025, and launched an investigation to find out its scope and affect.
“On June 19, 2025, Chess.com grew to become conscious of potential unauthorized entry to knowledge saved in a third-party file switch utility utilized by Chess.com,” reads the discover despatched to impacted customers.
“Upon turning into conscious of the incident, we began an investigation, retained main consultants, notified federal regulation enforcement, and commenced taking measures to handle the incident.”
In keeping with the investigation, the incident impacts solely a really small proportion of the platform’s huge 100 million person base, estimated to be simply over 4,500 customers.
Chess.com is among the world’s largest on-line chess portals, working as a match internet hosting platform and likewise a social networking web site for lovers of the sport.
The platform has emphasised that the incident solely affected the unnamed third-party app, whereas its personal infrastructure and member accounts remained unaffected.
Nonetheless, the information which will have been accessed contains names and different personally identifiable data (PII) that has not been included within the pattern notices Chess.com shared with the authorities.
Chess.com famous that no monetary data has been uncovered, and it has no proof that the stolen knowledge has been publicly disclosed or misused but.
The platform states that it has taken further measures to safe its programs and notified regulation enforcement accordingly. It additionally affords impacted members 1-2 years of free id theft and credit score monitoring companies.
Letter recipients are given till December 3, 2025, to enroll within the supplied companies, however it is strongly recommended to take action as quickly as doable.
In November 2023, Chess.com suffered one other cyber incident, the place over 800,000 person data have been scraped from its web site by exploiting an API flaw and later posted on a hacking discussion board.
The knowledge uncovered in that case included, based on HaveIBeenPwned, e-mail addresses, full names, usernames, and geographic places.
BleepingComputer has contacted Chess.com to ask about what forms of knowledge have been uncovered and likewise the identify of the third-party that was breached, however we’re nonetheless ready for a response.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.
