In June 2025, online chess portal Chess.com disclosed a data breach linked to a third-party file transfer app. Around 4,500 users had personal data (names and other identifiers) exposed.
Chess.com, one of the world’s largest chess platforms, revealed in September 2025 that it suffered a data breach in June via a third-party file transfer application. Attackers gained unauthorized access to the file transfer tool between June 5 and June 18, 2025, and the breach was discovered on June 19. Importantly, Chess.com’s own servers, game infrastructure, and user account systems were not compromised. The incident highlights how vulnerabilities in third-party services can impact even well-protected platforms.
Breach Details and Scope
The breach affected only a tiny fraction of Chess.com’s massive user base – roughly 4,500 individuals out of about 100 million members (around 0.003%). Exposed data is reported to include users’ names and other personally identifiable information (PII) stored in that file transfer app. No financial or payment information was involved in this incident. Chess.com says there’s currently no evidence that the stolen data has been published online or misused, but the company treated the situation seriously by immediately launching an investigation and notifying law enforcement. Industry reports emphasize that attacks via third-party file-transfer software are on the rise – for example, recent analysis shows that over a third of data breaches involve third-party access, with file-transfer vulnerabilities often exploited.
Impact on Users
Affected users received notification letters outlining the breach. Although only names and similar identifiers were exposed, these are still considered sensitive PII. Chess.com is offering impacted members up to two years of free identity protection and credit monitoring services. Users have until December 3, 2025 to enroll in these services, and the company recommends signing up promptly. As a precaution, impacted members should watch their email and online accounts for any suspicious activity or phishing attempts. Chess.com’s swift response – hiring cybersecurity experts and engaging federal authorities – has helped contain the breach and alert affected users quickly.
Chess.com’s Response and Advice
After discovering the breach, Chess.com stated that it had secured the vulnerable file transfer system and strengthened its overall security. The company reaffirmed that its core platform and source code were not at risk. To minimize user risk, Chess.com emphasizes vigilance: affected users are advised to change passwords on other services if reused, monitor financial statements, and take advantage of the provided identity monitoring. These steps align with standard breach response best practices.
Key Takeaways for Chess.com Users
This incident underscores how third-party tools can be attack vectors. Chess.com itself faced another breach in November 2023 when a website API flaw exposed about 800,000 user records (including email addresses and names) to hackers. Both incidents highlight the need for rigorous third-party risk management. According to security researchers, file-transfer software and cloud services remain common targets; in fact, one report found that two exploited file-transfer vulnerabilities accounted for over 60% of all vulnerability-driven third-party breaches in 2024. Organizations must therefore ensure that all third-party services, even those used internally (like file transfer apps), are kept up to date and monitored for unusual access.
