Chess.com has disclosed a knowledge breach after menace actors gained unauthorized entry to a third-party file switch utility utilized by the platform.
The incident occurred in June 2025, with the menace actors sustaining entry to the stated utility for 2 weeks, between June 5 and June 18.
Chess.com found the breach on June 19, 2025, and launched an investigation to find out its scope and impression.
“On June 19, 2025, Chess.com turned conscious of potential unauthorized entry to knowledge saved in a third-party file switch utility utilized by Chess.com,” reads the discover despatched to impacted customers.
“Upon turning into conscious of the incident, we began an investigation, retained main specialists, notified federal legislation enforcement, and started taking measures to deal with the incident.”
In keeping with the investigation, the incident impacts solely a really small share of the platform’s large 100 million person base, estimated to be simply over 4,500 customers.
Chess.com is among the world’s largest on-line chess portals, working as a match internet hosting platform and in addition a social networking web site for lovers of the sport.
The platform has emphasised that the incident solely affected the unnamed third-party app, whereas its personal infrastructure and member accounts remained unaffected.
Nonetheless, the information which will have been accessed contains names and different personally identifiable info (PII) that has not been included within the pattern notices Chess.com shared with the authorities.
Chess.com famous that no monetary info has been uncovered, and it has no proof that the stolen knowledge has been publicly disclosed or misused but.
The platform states that it has taken extra measures to safe its programs and notified legislation enforcement accordingly. It additionally gives impacted members 1-2 years of free id theft and credit score monitoring providers.
Letter recipients are given till December 3, 2025, to enroll within the provided providers, however it is suggested to take action as quickly as attainable.
In November 2023, Chess.com suffered one other cyber incident, the place over 800,000 person information had been scraped from its web site by exploiting an API flaw and later posted on a hacking discussion board.
The knowledge uncovered in that case included, in line with HaveIBeenPwned, e-mail addresses, full names, usernames, and geographic areas.
BleepingComputer has contacted Chess.com to ask about what varieties of knowledge have been uncovered and in addition the identify of the third-party that was breached, however we’re nonetheless ready for a response.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration developments.
