Chess.com has disclosed a data breach after threat actors gained unauthorized access to a third-party file transfer application used by the platform.

The incident occurred in June 2025, with the threat actors maintaining access to the said application for two weeks, between June 5 and June 18.

Chess.com discovered the breach on June 19, 2025, and launched an investigation to determine its scope and impact.

"On June 19, 2025, Chess.com became aware of potential unauthorized access to data stored in a third-party file transfer application used by Chess.com," reads the notice sent to impacted users.

"Upon becoming aware of the incident, we started an investigation, retained leading experts, notified federal law enforcement, and began taking measures to address the incident."

According to the investigation, the incident affects only a very small percentage of the platform's massive 100 million user base, estimated to be just over 4,500 users.

Chess.com is one of the world's largest online chess portals, operating as a match hosting platform and also a social networking website for lovers of the game.

The platform has emphasized that the incident only affected the unnamed third-party app, while its own infrastructure and member accounts remained unaffected.

Still, the data that may have been accessed includes names and other personally identifiable information (PII) that has not been included in the sample notices Chess.com shared with the authorities.

Chess.com noted that no financial information has been exposed, and it has no evidence that the stolen data has been publicly disclosed or misused yet.

The platform states that it has taken additional measures to secure its systems and notified law enforcement accordingly. It also offers impacted members 1-2 years of free identity theft and credit monitoring services.

Letter recipients are given until December 3, 2025, to enroll in the offered services, but it is recommended to do so as soon as possible.

In November 2023, Chess.com suffered another cyber incident, where over 800,000 user records were scraped from its website by exploiting an API flaw and later posted on a hacking forum.

The information exposed in that case included, according to HaveIBeenPwned, email addresses, full names, usernames, and geographic locations.

BleepingComputer has contacted Chess.com to ask about what types of data have been exposed and also the name of the third-party that was breached, but we are still waiting for a response.