Breach Originated in Third-Party Application
Chess.com has confirmed that it suffered a data breach in June 2025 after attackers gained unauthorized access to a third-party file transfer application used by the platform. The attackers maintained access between June 5 and June 18 before being detected the following day.
In a notice sent to affected members, Chess.com explained:
“On June 19, 2025, Chess.com became aware of potential unauthorized access to data stored in a third-party file transfer application used by Chess.com. Upon becoming aware of the incident, we started an investigation, retained leading experts, notified federal law enforcement, and began taking measures to address the incident.”
The investigation determined that the breach impacted only a very small portion of Chess.com’s 100 million users—just over 4,500 individuals.
User Impact and Data Accessed
Chess.com stressed that its core infrastructure, including its main platform and user accounts, was not affected by this breach. Instead, the exposure was limited to data stored within the compromised third-party application.
The affected records contained personally identifiable information (PII), including names and unspecified personal details. Chess.com clarified that:
- No financial information was exposed
- No login credentials were compromised
- There is currently no evidence that the stolen data has been misused or published online
To mitigate potential risks, Chess.com is offering impacted users one to two years of free identity theft protection and credit monitoring services. Impacted members must enroll by December 3, 2025, though the company has advised doing so promptly.
Security Measures and Law Enforcement Notification
Following the discovery, Chess.com engaged cybersecurity experts to assess the scope of the incident and immediately notified federal law enforcement authorities. The company has also introduced additional security safeguards to its operations to reduce the risk of similar incidents in the future.
While the breach was limited, the platform emphasized its continued focus on protecting its user community:
“We are committed to safeguarding our members’ data and have taken additional measures to secure our systems following this incident.”
Chess.com’s History of Security Incidents
This is not the first cybersecurity challenge for Chess.com. In November 2023, the platform experienced another data-related incident when more than 800,000 user records were scraped from its systems. That incident exploited a vulnerability in an application programming interface (API) and resulted in stolen records being leaked on a hacking forum.
The latest event, though affecting a much smaller number of users, adds to the growing trend of attacks targeting popular online platforms through third-party applications and integrations.
Growing Pattern of Attacks on Third-Party Applications
The Chess.com breach highlights an increasingly common entry point for attackers—third-party applications integrated with widely used platforms. Unlike direct attacks on primary infrastructure, third-party compromises allow cybercriminals to bypass internal defenses by exploiting weaker links in the supply chain.
For organizations managing sensitive data, especially with user bases in the millions, the reliance on external tools creates additional risks that require ongoing monitoring and layered defense strategies.
