Chess.com, one of the world’s largest online platforms for playing chess, has disclosed a data breach affecting 4,541 people, including residents of Maine and Vermont. The company confirmed that an external hacking incident involving a third-party file transfer tool led to the exposure of limited personal information.
According to filings with state regulators, the Chess.com data breach occurred on June 5 and June 18, 2025, but was not discovered until June 19. The company said federal law enforcement was immediately notified once the breach was identified. Consumer notifications were issued on September 3.
In a letter to affected individuals, company explained that an unauthorized actor gained access to data stored in the third-party application and obtained certain files containing personal information. The company stressed that its core systems and member accounts were not compromised, and there is no evidence that the stolen data has been misused or publicly disclosed.
“Out of an abundance of caution we are notifying you in order to explain the circumstances as we understand them and the resources we are making available to you,” the notice read.
What Information Was Exposed in Chess.com Data Breach
The Chess.com data breach involved names and unspecified personal details belonging to a small fraction of Chess.com’s user base—fewer than 0.003% of accounts. No financial information, passwords, or login credentials were affected, the company said.
Moreover, the timing of the Chess.com data breach coincides with reports of serious vulnerabilities in several widely used file transfer products, including Wing FTP and CrushFTP, which disclosed flaws in July 2025 that required urgent patching.
The Cyber Express reached out to Chess.com for additional details regarding the breach. In response, a spokesperson said:
“In June, we became aware of unauthorized access to data stored in a third-party file transfer application used by Chess.com. Chess.com’s code was not compromised. We determined that the unauthorized actor acquired certain data belonging to fewer than 0.003% of users. No banking information or member accounts—including usernames and passwords—were disclosed as a result of this incident. We also have no indication that any of the data has been shared publicly on any online sources. We are in the process of notifying affected individuals.”
Response Measures Taken by Chess.com
After discovering the incident, Chess.com launched an internal investigation and engaged external cybersecurity experts to help assess the scope and impact. Federal law enforcement agencies were also brought in.
The company said the incident has since been contained and additional security measures have been implemented to prevent similar attacks in the future.
To support affected individuals, company is offering complimentary identity protection services, including credit monitoring, CyberScan monitoring, a $1 million insurance reimbursement policy, and identity theft recovery assistance. Victims have until December 3, 2025, to activate these services through IDX, a third-party provider.
Advice for Users
While Chess.com emphasized that there is no indication of fraud or misuse tied to the breach, the company urged users to remain vigilant. Affected individuals were advised to:
- Monitor bank and credit card statements for unusual activity.
- Be cautious about unsolicited communications asking for personal information.
- Avoid clicking on suspicious links or downloading unexpected email attachments.
- Report any suspected identity theft to financial institutions or relevant authorities.
Federal regulators typically recommend ongoing vigilance for 12 to 24 months following a potential data exposure.
Founded in 2005, Chess.com has grown into a global hub for chess enthusiasts, hosting more than 10 million games per day for over 100 million registered users. The platform offers online matches, tournaments, lessons, and live broadcasts, and has become a central part of the chess community worldwide.
Despite the size of its user base, the number of individuals impacted by this Chess.com data breach remains relatively small.
So far, no hacking group has claimed responsibility for the Chess.com Cyberattack. Chess.com has told victims it has “no indication that any of your impacted data has been shared publicly on any online sources.”
