Aikido Security flagged the largest npm attack ever recorded, with 18 packages like chalk, debug, and ansi-styles hacked…

Aikido Security flagged the largest npm attack ever recorded, with 18 packages like chalk, debug, and ansi-styles hacked to hijack crypto wallets via injected code.

Aikido Security has flagged what could be the biggest npm supply chain compromise ever recorded. The account of a long-trusted maintainer known as qix was hijacked through a phishing email, and 18 popular packages were altered with malicious code. Those packages include chalk, debug, and ansi-styles, which together represent more than two billion weekly downloads.

The good news is that the timing of the detection was fast enough to limit damage. Aikido’s lead malware researcher, Charlie Eriksen, said the attack was identified within five minutes and disclosed within an hour.

What makes this incident especially serious is the purpose of the injected malware. Instead of targeting development environments or servers, the code is designed to interfere with cryptocurrency transactions in the browser.

According to researchers, it hooks into MetaMask, Phantom, and other wallet APIs, altering transaction data before users sign. The interface shows the correct recipient, but the funds are redirected to addresses controlled by the attacker.

The malware also intercepts network traffic and application calls, recognises formats across Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash, and then rewrites them with convincing lookalike addresses. Since it operates at both the browser and API level, it can make fraudulent transfers appear legitimate.

The full list of compromised packages is long, but some of the most widely used include chalk (300 million weekly downloads), debug (358 million), and ansi-styles (371 million). Other affected projects range from low-level utilities like is-arrayish to formatting libraries such as strip-ansi.

For many developers, these packages are part of the foundation of everyday JavaScript applications, meaning the malicious versions could already be running in production systems worldwide.

The maintainer confirmed on Bluesky that his account was taken over after receiving a phishing email from “[email protected].” By the time he began removing the infected packages, access to his account was lost. Some packages, like simple-swizzle, remain compromised as of the latest update.

Aikido’s analysis shared with Hackread.com shows the code is highly intrusive, modifying functions like fetch, XMLHttpRequest, and wallet API methods. It alters transaction payloads, approvals, and even Solana’s signing flow, redirecting assets without the user’s knowledge. In practical terms, this means a developer who updated one of these packages could be exposing users to wallet hijacking as they interact with Web3 applications.

For now, developers are advised to roll back to known safe versions, audit any recent package updates, and monitor transactions closely if their applications interact with cryptocurrency wallets. The situation remains active, and Aikido is now posting live updates on its official blog.

npm Packages With 2 Billion Weekly Downloads Hacked in Major Attack

Hackers exploit a Sitecore zero-day (CVE-2025-53690) to deploy WEEPSTEEL Malware via ViewState attacks, enabling Remote Code Execution (RCE).

A critical zero-day vulnerability (CVE-2025-53690) is being actively exploited in Sitecore. This flaw, originating from old, insecure keys, allows hackers to achieve Remote Code Execution (RCE) via ViewState deserialization attacks.

For your information, this exploit hinges on a feature called ViewState, which is part of ASP.NET and helps a website remember a user’s actions. Attackers are exploiting a serious vulnerability in this feature, known as a ViewState deserialization attack. This occurs when the server, which normally trusts ViewState messages, is tricked into accepting malicious code because the security keys that protect it are known to the public.

Reportedly, hackers have been leveraging a key from Sitecore’s own deployment guides, which were published as far back as 2017. By using this publicly known key, attackers can trick the system into accepting malicious commands, which ultimately allows them to run their own code on the server, a method known as Remote Code Execution (RCE).

****From Simple Probe to Full Control****

The attack, as observed by Mandiant, follows a detailed multi-step process. It starts with the hackers probing web servers before focusing on a specific Sitecore page that uses a hidden ViewState form. Once they gain a foothold, they quickly deploy a reconnaissance tool, the WEEPSTEEL malware, to gather critical information about the system.

With initial access secured, the attackers moved to steal sensitive configuration files and then deployed a suite of open-source tools to expand their control. This included EARTHWORM for creating secret tunnels, DWAGENT for remote access, and SHARPHOUND for mapping the network. They then created and used new local administrator accounts to steal user credentials, allowing them to move deeper into the network. This highlights the sophisticated and methodical approach of the attackers.

****Warning****

In an urgent comment on the discovery, Ryan Dewhurst, head of proactive threat intelligence at watchTowr, pointed out that the vulnerability’s cause is a straightforward mistake by Sitecore users. “The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones,” he noted.

It is worth noting that Sitecore, a Sitecore is a digital experience and content management platform, has confirmed that new deployments will now automatically generate unique keys, and all affected customers have been contacted. Mandiant and Google were able to disrupt the attacks before they could fully unfold. However, Dewhurst warned that the “wider impact has not yet surfaced, but it will,” emphasising the potential for more widespread damage in the near future.

Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware

MostereRAT malware targets Windows through phishing, bypasses security with advanced tactics, and grants hackers full remote control. Cybersecurity…

MostereRAT malware targets Windows through phishing, bypasses security with advanced tactics, and grants hackers full remote control.

Cybersecurity researchers at FortiGuard Labs have identified a new malware threat called MostereRAT that is being delivered via a phishing campaign targeting Windows devices. The research, which was shared with Hackread.com, warns that this threat has a “high severity” level.

For your information, MostereRAT is a type of Remote Access Trojan (RAT), which is a form of malware that allows attackers to take full control of a computer remotely, as if they were sitting right in front of it.

****The Attack****

The attack begins with convincing phishing emails, designed to look like legitimate business inquiries, to trick Japanese users. When a victim clicks on a malicious link in the email, a compromised file automatically downloads. This file then guides the victim to open an embedded archive, which contains the malicious program.

Attack Flow (Source: Fortinet FortiGuard Labs)

It is worth noting that the malware uses several advanced methods to avoid detection. One key technique is its use of a unique coding language called Easy Programming Language (EPL), a language originally designed for Chinese speakers. By using this less common language, the hackers make their malicious operations harder to analyse.

The malware also actively works to disable security tools and anti-virus software by blocking their network traffic and even shutting down Windows security features. Furthermore, the malware secures its communication with the Command and Control (C2) server using a highly advanced method called mutual TLS (mTLS), which makes its network traffic much harder to detect and intercept.

Once the malware is running, it deploys a variety of remote access tools like AnyDesk and TightVNC. These are legitimate programs that people use for remote work, but in this case, the attackers use them to gain full access to the victim’s computer.

This allows them to control the system, collect data, and even install more malicious payloads. The malware also creates a hidden user account with administrative privileges, ensuring it can maintain access even if the victim thinks they have removed the threat.

In its blog post, FortiGuard Labs stated that the threat has evolved from a banking trojan first seen in 2020 into this new and more dangerous form. Fortinet has developed protections to detect and block MostereRAT, and they recommend that organisations educate their employees on the dangers of social engineering to prevent the initial attack.

_“_Given that the initial attack vector is phishing emails leading to malicious links and website downloads, browser security is a critical area for defence. Enforce browser security policies restricting automatic downloads and prompting users for confirmation before downloading files from unknown sources,_“_ said Lauren Rucker, Senior Cyber Threat Intelligence Analyst at Deepwatch.

_“_Additionally, organisations should configure user accounts with the minimum necessary privileges to prevent systems from escalating privileges to SYSTEM or TrustedInstaller,_“_ she added.

MostereRAT Targets Windows, Uses AnyDesk and TightVNC for Full Access

Paris, France, 2025 – iExec has announced the deployment of its privacy framework on Arbitrum, enabling the creation…

**Paris, France, 2025 –** iExec has announced the deployment of its privacy framework on Arbitrum, enabling the creation of powerful applications enhanced with confidential computing features. The move establishes iExec as the only TEE-based privacy tool platform in the $3.15B TVL Arbitrum ecosystem, delivering privacy tools to thousands of developers and powering applications for millions of Web3 users.

The launch of iExec’s privacy tooling on Arbitrum extends the sophistication of apps spanning AI, DeFi, and gaming on the Layer-2 network. As a result, developers can launch privacy-first applications without managing infrastructure, significantly bolstering scalability while reducing overhead.  

iExec’s Arbitrum deployment marks the first phase of a multi-chain rollout that will see its revitalised framework, designed for fast deployment across multiple EVM-compatible networks, widely integrated. A number of projects are already using iExec privacy tools on Arbitrum, including Ototamto, DexPal, 1xBuild, Incentive Finance, TempWallets, and ApeBond. By making privacy easy to integrate into any Arbitrum app, iExec allows web3 users to enjoy greater control over their data by gaining the ability to mask sensitive information.

The deployment of iExec’s privacy tooling on Arbitrum has been supported by partners such as AR.IO, with whom it has co-launched Web3Telegram, as well as Aethir and security auditor Halborn. Powered by the RLC token, iExec’s privacy implementation ensures that every private transaction, protected dataset, and confidential computation on Arbitrum contributes to the circulation and utility of RLC.

To support its rollout of EVM-wide privacy tooling, iExec aims to support builders and users seeking to take advantage of these capabilities, ensuring they have the resources they need for successful implementations. Through enabling Arbitrum builders to integrate privacy natively, iExec will help fuel a new wave of applications that can protect users from risks such as front-running and surveillance.

“iExec’s is making privacy an easy-to-implement feature for developers, not an afterthought that needs to be shoehorned into applications post-launch,” said Chase Allred, Partnerships Manager for Offchain Labs.

“Launching on Arbitrum puts a powerful set of developer tools directly in the hands of builders in one of the largest DeFi ecosystems, removing the friction of TEE and enabling new classes of applications. We look forward to seeing what is built,” Chase added.

iExec will support the rise of privacy-focused apps that are both scalable and user-centric. Developers can run encrypted processes, control access to sensitive data, and add trusted off-chain functions using prebuilt components.

The Arbitrum launch marks a milestone for iExec, bringing a fully operational TEE-powered privacy stack to one of the leading Layer 2s while reinforcing its vision for privacy becoming the standard across applications. Each builder who integrates iExec tools fuels more applications, use cases, and activity, creating a virtuous cycle where builders gain usability, users gain protection, and the ecosystem grows stronger with every integration.

****About iExec****

iExec is the builders’ home for privacy tools. iExec tools make it easy to build privacy-first applications with programmable governance, data protection, and confidential processing integrated. This allows builders to give users full control of their data and its access, while enabling new models for sharing and monetisation. iExec is creating an ecosystem where every transaction, dataset, and application contributes to a safer, more private, and shared economy for users.  

Learn more: https://www.iex.ec/

iExec brings TEE-based privacy tools to Arbitrum

North Korea’s Lazarus Group uses the ClickFix scam in fake crypto job interviews to deploy malware, steal data,…

North Korea’s Lazarus Group uses the ClickFix scam in fake crypto job interviews to deploy malware, steal data, and fund the regime’s programs.

A recent investigation by SentinelLABS and internet intelligence platform Validin reveals that North Korean threat actors behind the Contagious Interview campaign are actively abusing public cybersecurity platforms like Validin, Maltrail, and VirusTotal to improve their malicious activities.

The Contagious Interview campaign, active since at least 2023, targets job seekers in the cryptocurrency and blockchain industries. The goal is to steal money, which helps North Korea’s sanctioned economy and funds its missile programs. It is widely assessed to be a component of the larger Lazarus Group, a state-sponsored entity focused on generating revenue for North Korea.

The research, shared with Hackread.com, reveals that hackers use these platforms, which are designed to help cybersecurity professionals track threats, to monitor their own domains and avoid detection. Significant operational security (OPSEC) failures exposed files and directory contents, allowing researchers to piece together their timeline and methods.

The investigation covered the period from March to June 2025 and shows a worrying trend that the North Korean hackers operate in highly coordinated teams, likely using communication tools like Slack.

When Validin published an article about the group’s infrastructure on March 11, 2025, the hackers responded within hours, creating accounts to search for information about their own activities.

Even after Validin blocked their initial accounts, the hackers persisted, creating new ones from different email addresses and fake personas. Some of these personas were references to pop culture, like “Rock Lee” and “Mar Vel,” while others impersonated legitimate companies. Reportedly, between January and March 2025, the campaign impacted at least 230 individuals, though the actual number is likely much higher.

Countries targeted in this campaign (Credit: SentinelLABS)

It is worth noting that the hackers trick job seekers through a social engineering technique called ClickFix. This involves luring victims to a fake interview website where they are presented with a fabricated error, such as a camera issue. They are then instructed to copy and paste command lines to fix the problem, unknowingly deploying malware.

Attacks are carried out using a special tool, named ContagiousDrop, which is designed to deliver malware disguised as software updates. It’s smart enough to identify if a victim is using Windows, macOS, or Linux and then sends the correct type of malware.

Researchers observed that these applications also have a built-in email notification system that alerts the hackers whenever a victim engages with a fake job assessment or downloads the malicious file.

Email notification recipients (Credit: SentinelLABS)

They also suspect that the hackers are building a victim database, as the attackers’ server logs contained detailed information about the affected individuals, including their full names, email addresses, phone numbers, and IP addresses.

These victims were mainly in marketing and finance roles within the cryptocurrency sector and were targeted with fake job offers from well-known companies like Archblock, Robinhood, and eToro.

The report concludes that the most critical element in stopping this threat is the human factor, urging job seekers to “exercise heightened vigilance when engaging with employment offers and associated assessments.”

Lazarus Group Deploys Malware With ClickFix Scam in Fake Job Interviews

Salesloft Drift breach traced to GitHub compromise and stolen OAuth tokens, Mandiant confirms breach contained and Salesforce data targeted.

Heard about the recent data breaches where attackers used the Salesloft Drift application to access Salesforce data? There’s now a major update. The company has provided new details about the recent security incident involving its Drift application, confirming that the breach has been contained and customer protections are in place.

The company brought in Google-owned cybersecurity firm Mandiant on August 28 to lead an investigation into the compromise. The scope of the engagement included identifying the root cause, assessing the damage, and validating that Salesloft’s core environment remained secure.

****GitHub Access Preceded the Breach****

Salesloft’s advisory detailing Mandiant’s findings published today shows that the attacker gained access to a Salesloft GitHub account between March and June 2025. During this period, they downloaded content from several private repositories, added a guest user, and created new workflows.

Additionally, reconnaissance activity was also detected in both the Salesloft and Drift environments. However, investigators found no evidence that the attacker moved beyond limited probing in the Salesloft environment itself.

The attacker ultimately shifted focus to Drift’s AWS environment, where they obtained OAuth tokens from Drift customers. These tokens were then abused to access customer data through integrated applications.

****Containment and Remediation****

Salesloft says it acted quickly to contain the incident. Key steps included:

*   Rotating all affected credentials within Drift.
*   Rotating credentials in Salesloft’s own environment as a precaution.
*   Isolating Drift’s application and infrastructure, then taking the service offline.
*   Hardening its environment against the techniques observed in the attack.
*   Conducting proactive threat hunting across Salesloft infrastructure, which revealed no additional signs of compromise.

Mandiant also confirmed that the Drift and Salesloft platforms are technically segmented, a factor that helped limit the attacker’s reach.

Screenshot from the company’s latest update

****Industry Impact****

The breach is not limited to Drift alone. According to Google’s Threat Intelligence Group and Mandiant, the attack was part of a coordinated campaign that targeted Salesforce integrations across multiple companies in August.

As Hackread.com reported, organisations including Zscaler, Palo Alto Networks, PagerDuty, Cloudflare, TransUnion, Chanal, Google, Farmers Insurance and others have confirmed that data tied to their Salesforce environments was accessed through compromised Drift OAuth tokens. In most cases, the exposed information consisted of business contact details such as names, email addresses, job titles, and phone numbers.

While attribution remains under investigation, Google has linked threat actor group UNC6395 to the campaign. At the same time, although unconfirmed, a separate group known as “Scattered Lapsus$ Hunters,” an apparent coalition that combines the tactics and branding of Scattered Spider, Lapsu$, and ShinyHunters, has publicly claimed responsibility, though this has not been confirmed by investigators.

**Current Status**

With the Drift breach contained, Mandiant’s role has now moved to forensic quality assurance to validate the findings and ensure the integrity of both environments. On the other hand, Salesloft emphasised that while Drift was directly impacted, its core application environment was not breached beyond reconnaissance activity.

Salesloft Drift Breach Traced to GitHub Compromise and Stolen OAuth Tokens

Urgent security alert for SAP users! A critical vulnerability (CVE-2025-42957) allows attackers to take full control of your…

Urgent security alert for SAP users! A critical vulnerability (CVE-2025-42957) allows attackers to take full control of your system. Find out if your SAP S/4HANA is at risk and what steps to take now to mitigate the threat.

A critical security flaw has been found in several SAP products, including SAP S/4HANA, a system used by a wide range of global companies to manage their finances, supply chains, and other key business functions. This vulnerability, tracked as CVE-2025-42957, is considered highly dangerous because it could allow a malicious actor to take complete control of a company’s SAP system.

The Colorado-based identity and access security provider firm, Pathlock Research Lab, has confirmed that the vulnerability is already being actively exploited by hackers. Despite requiring a low-level user account for access, this flaw is easy for an attacker to use, and once inside, they can bypass security checks to inject their own malicious code.

****The Dangers of the Vulnerability****

The potential damage from this flaw is severe. An attacker who successfully exploits it could gain administrator-level control, allowing them to steal sensitive data, create hidden backdoors, disrupt operations, and even deploy ransomware.

Since SAP S/4HANA is central to so many critical business processes, a compromise could cause significant financial and operational damage to a company. The vulnerability affects SAP S/4HANA (Private Cloud or On-Premise) with the core Enterprise Management component S4CORE versions 102, 103, 104, 105, 106, 107, and 108.

****Immediate Action is Required****

The Dutch National Cyber Security Center (NCSC-NL) issued a security advisory on September 5, 2025, specifically to address the risks posed by this vulnerability. The advisory, which carries a medium-high priority, confirms that these vulnerabilities have been fixed in various SAP products and that the CVE-2025-42957 flaw is being actively exploited in the wild. The advisory serves as a formal confirmation of the threat and a call to action for organisations to protect themselves.

Also, SAP released patches for the affected systems on August 12, 2025, which are the only way to fully protect against this threat. Organisations using SAP S/4HANA, SAP NetWeaver, or other affected products are strongly urged to apply these security updates immediately. Two specific patches, Note 3627998 for S/4HANA and Note 3633838 for SAP Landscape Transformation, are especially important to install.

For companies that have not yet applied the August 2025 security updates, the risk of a cyberattack is high. Monitoring systems for unusual activity and strengthening security measures are also recommended to help prevent or detect any attempts to exploit this critical vulnerability.

****Expert Insight****

Shane Barney, Chief Information Security Officer at Keeper Security, shared his expert opinion on the matter, describing the CVE as a “textbook example” of why untrusted input should never be allowed to dictate how code runs. “Once dynamic code execution is in play, attackers can turn small openings into complete system compromise,” Barney said.

He recommended that organisations avoid dynamic code execution or, at a minimum, strictly limit what commands are allowed. He also stressed the importance of having a deep understanding of how applications are designed to operate to effectively detect and contain attacks before they spread.

Critical SAP Vulnerability CVE-2025-42957 Actively Exploited by Hackers

GhostAction supply chain attack hit 817 GitHub repositories, stealing 3,325 secrets including npm, PyPI, and DockerHub tokens.

On September 2, 2025, a GitHub user known as Grommash9 committed a new workflow file to the FastUUID project. The file, labelled “Github Actions Security,” appeared similar to routine automation scripts but was later found to contain malicious code designed to collect CI/CD secrets and send them to an external server.

FastUUID is an open-source Python library used in generating and working with universally unique identifiers (UUIDs) efficiently.

By September 5, cybersecurity researchers at GitGuardian had spotted the unusual activity and confirmed the FastUUID repository had been compromised. The workflow contained a command that packaged secrets into an HTTP POST request and transmitted them to a server hosted at 45.139.104.115.

The PyPI token for the project was among the data exfiltrated, but investigators found no malicious package releases during the compromise period. PyPI acted in time, locking the project in read-only mode to prevent further abuse while the maintainer removed the malicious commit.

GitGuardian’s follow-up analysis revealed that hundreds of repositories had been tampered with using nearly identical workflows. The company has now dubbed the attack “GhostAction” supply chain attack.

According to GitGuardian’s report shared with Hackraed.com, in total, 327 developers across 817 repositories were affected, and attackers stole over 3,325 secrets. These included DockerHub credentials and GitHub tokens to npm publishing keys, which could be misused or impact software supply chains.

The attack also included attackers analysing legitimate workflow files to identify which secrets were in use, then hardcoded those same secret names into their malicious workflows.

Furthermore, each commit was personalised, adjusting the attack to each project. The exfiltration server remained consistent throughout the campaign, always pointing to a domain “plesk.page” which stopped resolving later in the afternoon of September 5.

GitGuardian’s team raised issues directly in hundreds of compromised repositories to notify developers. They were able to alert maintainers of 573 projects, while others had either disabled GitHub issues or deleted the repository entirely. Conversations with affected developers also confirmed that some secrets were actively abused, with attackers attempting to access AWS environments and database services.

The incident affected projects in multiple programming languages, with malicious workflow commits found in Python, JavaScript, Rust, and Go repositories. Additionally, several companies found that their entire SDK portfolios had been tampered with. Since the attackers compromised many projects, the stolen npm and PyPI tokens could still be used to publish malicious releases.

By late afternoon on September 5, GitGuardian had notified GitHub, npm, and PyPI of the campaign. Security teams across these platforms are now monitoring for suspicious package publications and related activity. So far, at least 9 npm and 15 PyPI projects remain at risk due to compromised tokens, though no malicious releases have yet been confirmed.

GitGuardian has published indicators of compromise, including the workflow file name, commit message, and the malicious server address, to help teams identify whether their projects were affected.

The GhostAction campaign is still under investigation, but current findings show it to be one of the largest GitHub workflow compromises to date, affecting hundreds of projects and exposing thousands of secrets.

GhostAction Attack Steals 3,325 Secrets from GitHub Projects

Bridgestone confirms a cyberattack that disrupted manufacturing plants. This article details the impact on employees, expert analysis, and…

Bridgestone confirms a cyberattack that disrupted manufacturing plants. This article details the impact on employees, expert analysis, and a look at the suspected hacking group, Scattered Lapsus$ Hunters.

Tire manufacturing giant Bridgestone, the world’s largest by production volume, has confirmed it is investigating a cyberattack that has impacted some of its manufacturing facilities across North America.

The company, which operates in over 150 countries with 50 production plants and 55,000 employees, stated that it believes the incident was limited and has been contained.

Reports of the incident first surfaced on Tuesday, September 2, 2025, concerning two production facilities in Aiken County, South Carolina. The very next day, similar disruptions were reported at a manufacturing plant in Joliette, Quebec.

While the Joliette mayor, Pierre-Luc Bellerose, believes all North American plants were affected, the company has characterised the event as a “limited cyber incident.” At the affected plants, employees whose normal duties were stopped were reportedly given a choice: stay on-site to perform preventive maintenance for a full day’s pay or go home without pay.

Bridgestone Americas (BSA), the company’s arm in this region, released a statement saying that its team responded quickly to the issue. As a result, the company believes it was able to contain the incident in its early stages. Bridgestone does not think any customer data or interfaces were compromised and says business is now operating as usual.

“We have launched a comprehensive forensic analysis and believe we contained the incident early,” the company’s statement reads.

****The Suspected Attackers****

The exact nature of the attack is currently unknown, and no threat group has taken formal responsibility. However, it’s worth noting that a group called Scattered Lapsus$ Hunters has been particularly active in recent weeks, claiming responsibility for attacks on other major companies like Jaguar Land Rover and Salesforce.

This group is said to be a merger of three prominent hacking groups: Scattered Spider, Lapsus$, and ShinyHunters. This same group recently made headlines for threatening Google’s CEO, demanding that two security experts be fired or they would leak stolen data.

These groups are known for stealing sensitive data and then trying to extort their victims for money. While their claims about the Bridgestone incident remain unconfirmed, the possibility highlights a broader pattern of high-profile attacks by this group.

This incident marks the second time in recent years that Bridgestone has faced a significant cyberattack, following a LockBit ransomware attack in 2022 (PDF) that also disrupted production. While the company has not confirmed if this latest attack is ransomware, its focus on containing the incident and mitigating potential supply chain fallout shows the seriousness of the situation.

****Expert Perspective****

In comments shared with Hackread.com, Erich Kron, Security Awareness Advocate at KnowBe4, explained the critical challenge for manufacturers. Even a minor attack can require a shutdown of production lines, which is a complex process. He stressed the need for a solid business continuity plan and a human risk management program to combat social engineering attacks like phishing, which are often the entry point for malware.

Bridgestone Confirms Cyberattack Disrupting North American Plants

Chess.com confirms a limited data breach affecting 4,500 users after a third-party file transfer tool was compromised. No…

Chess.com confirms a limited data breach affecting 4,500 users after a third-party file transfer tool was compromised. No passwords or payments exposed.

Chess.com has confirmed that a recent incident exposed information belonging to just over 4,500 users after attackers gained unauthorised access through a third-party file transfer application earlier this summer.

Even though the breach only impacted a small portion of Chess.com’s 150 million users, it is still concerning since the site has suffered multiple data breaches in recent years.

The company explained that the breach took place in two separate attacks on June 5 and June 18 2025. Investigators determined that attackers targeted a file transfer tool, not Chess.com’s own systems, which helped limit the scale of exposure.

According to Chess.com, no account credentials, passwords, or payment data were affected. Instead, the compromised files contained names and other identifiers. The platform says its main systems remain secure, and that the breach did not affect the ability of members to log in or play.

Notifications about the breach began going out to impacted users on September 3. Alongside those notices, Chess.com said it has involved federal law enforcement, hired external cybersecurity experts to investigate, and is offering free identity protection services to help users keep an eye on possible misuse of their information.

****Previous Cybersecurity Issues with Chess.com****

For long-time players, this is not the first time they have heard of their platform facing cybersecurity troubles. In 2021, researchers **identified** a flaw that could have exposed the data of 50 million Chess.com users, but it was responsibly reported to the company and never abused by attackers.

On November 10, 2023, hackers **posted** 800,000 scraped Chess.com user records on a hacking forum. Just two days later, another 476,000 records **appeared** on the same site. Chess.com later explained to Hackread.com that the leaks were the result of API abuse rather than a direct system breach.

Nevertheless, the difference with the 2025 breach is that it originated from a third-party vendor, not from automated scraping or credential leaks. Plus, it only includes a few hundred users’ data. Yet, players should remain alert, use strong, unique passwords, and watch for suspicious activity linked to their accounts.

Source

HackRead