Online chess platform Chess.com disclosed a data breach caused by unauthorized access to a third-party file transfer application. The incident, discovered on June 19, 2025, involved an external threat actor exfiltrating data tied to 4,541 users (0.003% of its 150M+ user base) after accessing the system on June 5 and June 18, 2025. Compromised data included user names and unspecified identifiers, but no financial information was exposed. The breach did not affect Chess.com’s core systems, source code, or member accounts. The company contained the incident, engaged cybersecurity experts, and notified law enforcement. Affected users were offered 12 months of free identity protection services (credit monitoring, cyber scanning, and identity theft recovery) via IDX. No evidence of misuse or public exposure of the stolen data has been reported, though users were advised to monitor financial accounts and enroll in protection services by December 3, 2025.
Source: https://cyberinsider.com/chess-com-discloses-data-breach-from-3rd-party-system-compromise/
TPRM report: https://www.rankiteo.com/company/chess-com
"id": "che5360353090425",
"linkid": "chess-com",
"type": "Breach",
"date": "6/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': '4,541 (<0.003% of total users)',
'industry': 'Online Gaming / Esports / Education',
'location': 'Orem, Utah, USA',
'name': 'Chess.com',
'size': 'Over 150 million registered users',
'type': 'Private Company'}],
'attack_vector': 'Unauthorized access to third-party file transfer '
'application',
'customer_advisories': 'Written notifications issued (2025-09-03) with '
'guidance on identity protection enrollment',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 4541,
'personally_identifiable_information': True,
'sensitivity_of_data': 'Moderate (no financial or highly '
'sensitive data)',
'type_of_data_compromised': ['Personal identifiers (names)',
'Unspecified additional '
'identifiers']},
'date_detected': '2025-06-19',
'date_publicly_disclosed': '2025-09-03',
'description': 'Online chess giant Chess.com disclosed a data breach caused '
'by unauthorized access to a third-party file transfer '
'application. The incident affected a small subset of users '
'(4,541 individuals globally, <0.003% of total users), '
'exposing personal data such as names and unspecified '
'identifiers. No financial data, core systems, user accounts, '
'source code, or member account systems were compromised. The '
'breach was discovered on June 19, 2025, with unauthorized '
'access occurring on June 5 and June 18, 2025. The company '
'initiated an internal investigation with external '
'cybersecurity experts, notified law enforcement, and '
'contained the breach. Affected users were offered 12 months '
'of free identity protection services through IDX.',
'impact': {'brand_reputation_impact': 'Potential reputational risk (limited '
'to <0.003% of users)',
'data_compromised': ['Names', 'Unspecified additional identifiers'],
'identity_theft_risk': 'Low (no evidence of misuse; identity '
'protection services offered)',
'operational_impact': 'Minimal (core systems unaffected)',
'payment_information_risk': 'None (no financial data exposed)',
'systems_affected': 'Third-party file transfer application'},
'initial_access_broker': {'entry_point': 'Third-party file transfer '
'application'},
'investigation_status': 'Completed (contained; no ongoing threat)',
'post_incident_analysis': {'corrective_actions': ['Secured third-party '
'application access',
'Enhanced system monitoring '
'(details undisclosed)',
'Offered identity '
'protection services to '
'affected users'],
'root_causes': 'Unauthorized access to third-party '
'file transfer tool (specific '
'vulnerabilities undisclosed)'},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Monitor credit reports and financial accounts for '
'suspicious activity',
'Activate provided identity protection services (IDX) '
'before 2025-12-03',
'Review third-party vendor security protocols for file '
'transfer applications'],
'references': [{'source': "Maine Attorney General's Office Breach Filing"}],
'regulatory_compliance': {'regulatory_notifications': ['Maine Attorney '
"General's Office"]},
'response': {'communication_strategy': 'Written notifications to affected '
'users (issued 2025-09-03); public '
'disclosure via Maine Attorney '
"General's Office filing",
'containment_measures': 'Breach contained; third-party '
'application secured',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': 'Systems further secured (specifics '
'undisclosed)',
'third_party_assistance': 'External cybersecurity experts '
'engaged'},
'threat_actor': 'External',
'title': 'Chess.com Data Breach via Third-Party File Transfer Application',
'type': 'Data Breach'}