Chess.com disclosed a data breach after unauthorized access to a third-party file-transfer application used on the platform. The incident occurred in June 2025, with attackers maintaining access for two weeks from June 5 to June 18. Chess.com said it discovered the breach on June 19 and immediately launched an investigation with leading experts, notified federal law enforcement, and began implementing measures to secure its systems.
Officials said the breach affected only a very small portion of Chess.com’s roughly 100 million-user base, estimated at just over 4,500 accounts. The information potentially accessed included names and other personally identifiable information (PII) that was not included in the notices Chess.com shared with the authorities.
Chess.com stressed that its own infrastructure and member accounts remained unaffected. The company said no financial information appears to have been exposed and there is no evidence that the stolen data has been publicly disclosed or misused. It said it has taken additional measures to secure its systems and has notified law enforcement accordingly. Impacted members were offered 1-2 years of free identity theft and credit monitoring services, with enrollment available through December 3, 2025.
In a separate note, Chess.com recalled a previous cyber incident from November 2023, when more than 800,000 user records were scraped from its site through an API flaw and later posted on a hacking forum. The exposed information, according to HaveIBeenPwned, included email addresses, full names, usernames, and geographic locations. The company did not immediately provide additional details on the current breach or the third-party involved.