Chess.com Hit by Limited Data Breach Linked to 3rd-Party File Transfer Tool

Chess.com confirms a limited data breach affecting 4,500 users after a third-party file transfer tool was compromised. No passwords or payments exposed.

Chess.com has confirmed that a recent incident exposed information belonging to just over 4,500 users after attackers gained unauthorised access through a third-party file transfer application earlier this summer.

Even though the breach only impacted a small portion of Chess.com’s 150 million users, it is still concerning since the site has suffered multiple data breaches in recent years.

The company explained that the breach took place in two separate attacks on June 5 and June 18 2025. Investigators determined that attackers targeted a file transfer tool, not Chess.com’s own systems, which helped limit the scale of exposure.

According to Chess.com, no account credentials, passwords, or payment data were affected. Instead, the compromised files contained names and other identifiers. The platform says its main systems remain secure, and that the breach did not affect the ability of members to log in or play.

Notifications about the breach began going out to impacted users on September 3. Alongside those notices, Chess.com said it has involved federal law enforcement, hired external cybersecurity experts to investigate, and is offering free identity protection services to help users keep an eye on possible misuse of their information.

****Previous Cybersecurity Issues with Chess.com****

For long-time players, this is not the first time they have heard of their platform facing cybersecurity troubles. In 2021, researchers identified a flaw that could have exposed the data of 50 million Chess.com users, but it was responsibly reported to the company and never abused by attackers.

On November 10, 2023, hackers posted 800,000 scraped Chess.com user records on a hacking forum. Just two days later, another 476,000 records appeared on the same site. Chess.com later explained to Hackread.com that the leaks were the result of API abuse rather than a direct system breach.

Nevertheless, the difference with the 2025 breach is that it originated from a third-party vendor, not from automated scraping or credential leaks. Plus, it only includes a few hundred users’ data. Yet, players should remain alert, use strong, unique passwords, and watch for suspicious activity linked to their accounts.