CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Chess.com data breach via third-party file transfer app

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

Chess.com disclosed a data breach after unauthorized access to a third-party file transfer application. The incident occurred between June 5 and June 18, 2025, affecting approximately 4,500 users. The breach involved names and other personally identifiable information (PII). Chess.com discovered the breach on June 19, 2025, and has since taken measures to secure its systems and notify affected users. No financial information was compromised, and there is no evidence of misuse of the stolen data. The platform is offering free identity theft and credit monitoring services to impacted users.

Timeline

  1. 04.09.2025 20:51 πŸ“° 1 articles Β· ⏱ 12d ago

    Chess.com data breach via third-party file transfer app

    Between June 5 and June 18, 2025, unauthorized access to a third-party file transfer application used by Chess.com compromised names and PII of approximately 4,500 users. The breach was discovered on June 19, 2025, and Chess.com has taken measures to secure its systems and notify affected users.

    Show sources

Information Snippets

Similar Happenings

Plex Data Breach Compromises User Authentication Data

Plex has suffered a data breach, exposing customer authentication data. The breach included email addresses, usernames, and securely hashed passwords. Plex has advised users to reset their passwords, enable two-factor authentication (2FA), and sign out of all devices as a precaution. The breach did not include payment card information. Plex has addressed the vulnerability used in the breach but has not disclosed technical details. The company has also launched internal reviews to improve security and has advised users to be wary of potential phishing attacks. This is the second such incident affecting Plex users.

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.

Jaguar Land Rover Production Disrupted by Cyberattack

Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted its production and retail operations. The attack prompted the company to shut down several systems to mitigate the impact. Customer data was compromised, and the exact nature of the attack and the timeline for recovery remain unclear. The incident affected multiple systems, including those at the Solihull production plant, where popular models like the Land Rover Discovery and Range Rover are manufactured. The attack occurred over the weekend, a common time for such incidents due to reduced response capabilities. This is the second cyberattack JLR has suffered this year, raising concerns about potential vulnerabilities from the previous attack. JLR has extended the production shutdown for another week, with operations expected to resume on September 24, 2025. The company is still investigating the incident and has not attributed the breach to a specific cybercrime group.

ShadowCaptcha Campaign Exploits WordPress Sites to Deliver Malware

A large-scale campaign, codenamed ShadowCaptcha, has been exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners. The campaign uses fake CAPTCHA verification pages to trick users into executing malicious payloads. The attacks began in August 2025 and target various sectors, including technology, hospitality, legal/finance, healthcare, and real estate. The primary objectives are data theft, illicit cryptocurrency mining, and ransomware deployment. The campaign employs social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to maintain persistence on targeted systems. The attacks start with malicious JavaScript code injected into compromised WordPress sites, redirecting users to fake CAPTCHA pages. From there, the attack chain forks into two paths: one using the Windows Run dialog and the other guiding victims to save and run an HTML Application (HTA) file. The compromised sites are primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel. The attackers likely gained access through known exploits in WordPress plugins and compromised credentials. The "Scattered Lapsus$ Hunters" group, linked to Shiny Hunters, Scattered Spider, and Lapsus$, has been identified as behind widespread data theft attacks targeting Salesforce data and other high-profile companies. The group has claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement and unauthorized access to sensitive user data. Mitigation strategies include user training, network segmentation, and securing WordPress sites with multi-factor authentication (MFA).

Threat Actors Exploit VPS Infrastructure for SaaS Account Compromises

Threat actors, including the China-linked APT41 group, are exploiting commercial virtual private server (VPS) infrastructure to quickly and stealthily set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments and in targeted cyber espionage campaigns against U.S. trade officials. The abuse of VPS services allows attackers to bypass geolocation-based defenses, evade IP reputation checks, and blend into legitimate behavior. The attacks involved brute-force attempts, anomalous logins, phishing campaign-related inbox rule creation, and impersonation tactics. In notable incidents, attackers successfully compromised accounts by exploiting VPS services from providers such as Hyonix, Host Universal, Mevspace, and Hivelocity. The attackers deleted phishing emails and created obfuscated email rules to conceal their activities. The use of VPS infrastructure enables attackers to rapidly deploy infrastructure, making it difficult for defenders to track and respond to threats. The impersonation of U.S. Rep. John Moolenaar was part of a larger espionage campaign targeting U.S. trade officials. The campaign involved spear-phishing attacks impersonating a U.S. Congressman to gain unauthorized access to systems and sensitive information. The attacks exploited developer tools to create hidden pathways and siphon data to attacker-controlled servers.