Article illustration 1

Chess.com has revealed a data breach where threat actors infiltrated a third-party file transfer application used by the platform, marking its second major security incident since 2023. Unauthorized access persisted for two weeks in June 2025 before detection, exposing names and personally identifiable information (PII) of approximately 4,500 users—a small fraction of its 100-million-strong user base, yet significant for those affected.

The Anatomy of a Third-Party Compromise

According to Chess.com's disclosure, attackers maintained access to the unnamed file transfer service between June 5-18, 2025. The platform detected anomalies on June 19, triggering an investigation with cybersecurity experts and law enforcement. Crucially, Chess.com's core infrastructure and user accounts remained uncompromised—the breach was isolated to the external vendor's system. While financial data was untouched, the exposed PII underscores how third-party integrations create invisible attack surfaces.

"Upon becoming aware of the incident, we started an investigation, retained leading experts, notified federal law enforcement, and began taking measures to address the incident," stated Chess.com in user notifications.

Recurring Security Challenges

This incident echoes Chess.com's November 2023 breach, where 800,000 user records were scraped via an API flaw. That data—including emails, names, and locations—later appeared on hacking forums. The repeat occurrence suggests systemic challenges in securing vendor ecosystems, even for platforms investing in cybersecurity. Chess.com now offers affected users 1-2 years of identity theft monitoring, with enrollment deadlines set for December 2025.

Why This Matters for Tech Professionals

  1. Supply Chain Blind Spots: File transfer services like MOVEit, Accellion, and others have repeatedly been exploited in recent campaigns. This breach reinforces that vendor risk assessments must evolve beyond questionnaires to include continuous monitoring.
  2. Data Minimization: Storing sensitive user data in ancillary systems contradicts zero-trust principles. The incident highlights the need for strict data access controls even with third parties.
  3. Incident Response Gaps: The two-week dwell time indicates potential detection failures. Organizations should implement behavioral analytics for external services.

Chess.com hasn't disclosed the vendor's identity or precise PII details, leaving technical questions unanswered. As supply chain attacks surge—up 742% since 2019, per ENISA—this breach serves as a stark reminder that securing your castle isn't enough when pawns in your ecosystem remain vulnerable.

Source: BleepingComputer