Chess.com has disclosed an information breach after menace actors gained unauthorized entry to a third-party file switch software utilized by the platform.
The incident occurred in June 2025, with the menace actors sustaining entry to the stated software for 2 weeks, between June 5 and June 18.
Chess.com found the breach on June 19, 2025, and launched an investigation to find out its scope and affect.
“On June 19, 2025, Chess.com grew to become conscious of potential unauthorized entry to information saved in a third-party file switch software utilized by Chess.com,” reads the discover despatched to impacted customers.
“Upon changing into conscious of the incident, we began an investigation, retained main consultants, notified federal legislation enforcement, and commenced taking measures to deal with the incident.”
In accordance with the investigation, the incident impacts solely a really small share of the platform’s huge 100 million person base, estimated to be simply over 4,500 customers.
Chess.com is likely one of the world’s largest on-line chess portals, working as a match internet hosting platform and in addition a social networking web site for lovers of the sport.
The platform has emphasised that the incident solely affected the unnamed third-party app, whereas its personal infrastructure and member accounts remained unaffected.
Nonetheless, the information which will have been accessed contains names and different personally identifiable info (PII) that has not been included within the pattern notices Chess.com shared with the authorities.
Chess.com famous that no monetary info has been uncovered, and it has no proof that the stolen information has been publicly disclosed or misused but.
The platform states that it has taken extra measures to safe its programs and notified legislation enforcement accordingly. It additionally provides impacted members 1-2 years of free identification theft and credit score monitoring companies.
Letter recipients are given till December 3, 2025, to enroll within the supplied companies, however it is suggested to take action as quickly as doable.
In November 2023, Chess.com suffered one other cyber incident, the place over 800,000 person information have been scraped from its web site by exploiting an API flaw and later posted on a hacking discussion board.
The data uncovered in that case included, in response to HaveIBeenPwned, e mail addresses, full names, usernames, and geographic areas.
BleepingComputer has contacted Chess.com to ask about what forms of information have been uncovered and in addition the identify of the third-party that was breached, however we’re nonetheless ready for a response.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration traits.
