Chess.com suffers data breach via third-party file transfer app
Summary
Hide ▲
Show ▼
Chess.com experienced a data breach in June 2025, where unauthorized actors accessed a third-party file transfer app used by the platform. The breach occurred between June 5 and June 18, affecting approximately 4,500 users out of the platform's 100 million user base. The compromised data includes names and other personally identifiable information (PII). Chess.com discovered the breach on June 19 and has since taken measures to secure its systems and notify law enforcement. The platform is offering impacted users free identity theft and credit monitoring services. This is the second cyber incident for Chess.com in recent years, following a 2023 data breach where over 800,000 user records were scraped and posted online.
Timeline
-
04.09.2025 20:51 1 articles · 25d ago
Chess.com data breach via third-party file transfer app
Chess.com experienced a data breach in June 2025, where unauthorized actors accessed a third-party file transfer app used by the platform. The breach occurred between June 5 and June 18, affecting approximately 4,500 users. The compromised data includes names and other personally identifiable information (PII). Chess.com discovered the breach on June 19 and has since taken measures to secure its systems and notify law enforcement. The platform is offering impacted users free identity theft and credit monitoring services.
Show sources
- Chess.com discloses recent data breach via file transfer app — www.bleepingcomputer.com — 04.09.2025 20:51
Information Snippets
-
The breach occurred between June 5 and June 18, 2025.
First reported: 04.09.2025 20:511 source, 1 articleShow sources
- Chess.com discloses recent data breach via file transfer app — www.bleepingcomputer.com — 04.09.2025 20:51
-
Approximately 4,500 users were affected out of Chess.com's 100 million user base.
First reported: 04.09.2025 20:511 source, 1 articleShow sources
- Chess.com discloses recent data breach via file transfer app — www.bleepingcomputer.com — 04.09.2025 20:51
-
The compromised data includes names and other personally identifiable information (PII).
First reported: 04.09.2025 20:511 source, 1 articleShow sources
- Chess.com discloses recent data breach via file transfer app — www.bleepingcomputer.com — 04.09.2025 20:51
-
Chess.com discovered the breach on June 19, 2025, and launched an investigation.
First reported: 04.09.2025 20:511 source, 1 articleShow sources
- Chess.com discloses recent data breach via file transfer app — www.bleepingcomputer.com — 04.09.2025 20:51
-
The platform has emphasized that its own infrastructure and member accounts remained unaffected.
First reported: 04.09.2025 20:511 source, 1 articleShow sources
- Chess.com discloses recent data breach via file transfer app — www.bleepingcomputer.com — 04.09.2025 20:51
-
Chess.com is offering impacted users 1-2 years of free identity theft and credit monitoring services.
First reported: 04.09.2025 20:511 source, 1 articleShow sources
- Chess.com discloses recent data breach via file transfer app — www.bleepingcomputer.com — 04.09.2025 20:51
-
In November 2023, Chess.com suffered another cyber incident where over 800,000 user records were scraped and posted online.
First reported: 04.09.2025 20:511 source, 1 articleShow sources
- Chess.com discloses recent data breach via file transfer app — www.bleepingcomputer.com — 04.09.2025 20:51
Similar Happenings
Crypto fraud ring dismantled by European authorities
A joint operation by European law enforcement agencies has dismantled a cryptocurrency investment fraud ring that defrauded over 100 victims of €100 million ($118 million). The operation, coordinated by Eurojust and supported by Europol, involved authorities from Spain, Portugal, Bulgaria, Italy, Lithuania, and Romania. The ring operated since at least 2018, targeting investors across 23 countries, including France, Germany, Italy, and Spain. The fraudsters used professionally designed online platforms to promise high returns on cryptocurrency investments. Funds were funneled into bank accounts in Lithuania, and victims were charged additional fees to recover their assets. The fraudulent websites eventually went offline, leaving investors with significant losses. Five suspects were arrested, and bank accounts and financial assets were frozen during the operation. The main perpetrator has been accused of large-scale fraud and money laundering.
RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare
The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.
BreachForums Administrator Fitzpatrick Resentenced to Three Years in Prison
Conor Brian Fitzpatrick, alias Pompompurin, the administrator of the BreachForums hacking forum, has been resentenced to three years in prison. Fitzpatrick was initially sentenced to time served and 20 years of supervised release, but this was overturned due to violations of pretrial release conditions. BreachForums was a significant platform for trading and selling stolen data and access to corporate networks. Fitzpatrick's resentencing follows his guilty pleas to charges of conspiracy to commit access device fraud, solicitation for the purpose of offering access devices, and possession of child sexual abuse material (CSAM). The forum's activities included the sale and trade of stolen data from various sectors, including telecom providers, social networks, healthcare companies, investment firms, and government agencies. Fitzpatrick agreed to forfeit over 100 domain names, a dozen electronic devices, and cryptocurrency used in the operation of BreachForums. The U.S. Court of Appeals for the Fourth Circuit vacated Fitzpatrick's prior sentence on January 21, 2025. BreachForums had over 14 billion individual records at its peak and was relaunched multiple times despite efforts to shut it down. The original BreachForums database was leaked in July 2024, exposing members' information. ShinyHunters claimed the forum was compromised and under the control of international law enforcement in August 2025. The copycat forum went offline in September 2025, stating they have "decided to go dark" along with 14 other e-crime groups.
Plex Data Breach Exposes Customer Authentication Details
Plex, a media streaming platform, has suffered a data breach where an unauthorized third party accessed a subset of customer data from one of its databases. The compromised information includes email addresses, usernames, and securely hashed passwords. Plex has advised users to reset their passwords, enable two-factor authentication, and sign out connected devices to secure their accounts. The breach did not include payment card information. Plex has addressed the vulnerability and launched internal reviews to improve security. The company also warns users about potential phishing attacks. This is the second data breach for Plex, prompting users to take immediate action to secure their accounts.
Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data
The threat actor, tracked as UNC6395 by Google and GRUB1 by Cloudflare, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and steal data from Salesforce customer instances. The campaign, active from August 8 to at least August 18, 2025, targeted over 700 organizations, including Workiva and Stellantis, and impacted all integrations connected to the Drift platform, not just Salesforce. The attackers exported large volumes of data, including credentials for AWS, passwords, and Snowflake access tokens. Zscaler, Palo Alto Networks, Cloudflare, and Workiva reported data breaches after threat actors accessed their Salesforce instances via compromised Salesloft Drift credentials, exposing customer information. The breach began with the compromise of Salesloft's GitHub account, accessed by UNC6395 from March to June 2025. The threat actor accessed multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred in the Salesloft and Drift application environments between March and June 2025. The attackers accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key. Salesforce restored the integration with the Salesloft platform on September 7, 2025, except for the Drift app, which remains disabled. Salesloft and Salesforce have taken steps to mitigate the breach, including revoking tokens and removing the Drift application from AppExchange. The breach highlights the risks associated with third-party integrations and the potential for supply chain attacks. UNC6395 demonstrated operational discipline, querying and exporting data methodically, and attempting to cover their tracks by deleting query jobs. The targeted organizations included security and technology companies, suggesting a broader strategy to infiltrate vendors and service providers. The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. There is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys. The threat group ShinyHunters and Scattered Spider claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise. Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics. The UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. Okta successfully defended against a potential breach by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric. Palo Alto Networks' Unit 42 advised organizations to conduct immediate log reviews for signs of compromise and rotate exposed credentials. Okta suggests reducing the blast radius of a single entity breach by constraining token use by IP and client and ensuring granular permissions for M2M integrations. The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395 is best known for using stolen OAuth tokens from Salesloft's Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year. The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. The advisory also includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.