Online chess giant Chess.com has disclosed a data breach caused by unauthorized access to a third-party file transfer application.
The incident, which affected a small subset of users, did not compromise Chess.com's core systems or user accounts.
The breach was discovered on June 19, 2025, after the company identified suspicious activity involving data stored in a third-party file transfer tool. A subsequent investigation revealed that an external threat actor had accessed the system on June 5 and again on June 18, exfiltrating data tied to fewer than 0.003% of Chess.com users. Specific technical details about the compromised file transfer platform were not disclosed.
The notification, submitted to the Maine Attorney General's Office, confirms that the breach was the result of external hacking. A total of 4,541 individuals globally had some personal data exposed, according to the breach filing. The company began issuing written notifications to affected users on September 3, 2025.
Chess.com stated that no financial data was exposed, and there is currently no evidence that the stolen information has been misused or made publicly available. Exposed data included users' names and unspecified additional identifiers. The company's own infrastructure, source code, and member account systems remained unaffected by the breach.
Founded in 2005 and based in Orem, Utah, Chess.com operates one of the world's largest online chess platforms, boasting over 150 million registered users. The site is a hub for casual players, professional tournaments, and educational resources, making it a key player in the online gaming and esports ecosystem.
Upon discovery of the incident, Chess.com initiated an internal investigation with the support of external cybersecurity experts and notified federal law enforcement. The company reports that the breach has since been contained, and measures have been taken to further secure its systems.
To mitigate risk to affected individuals, Chess.com is offering 12 months of free identity protection services, including credit monitoring, cyber scanning, and identity theft recovery, through IDX. Impacted users have been advised to remain vigilant by monitoring their credit reports and financial accounts and to activate the provided protection services before the December 3, 2025, enrollment deadline.
Leave a Reply