A security breach at Chess.com, a popular online chess platform and social networking site, has led to the exposure of personal data of more than 800,000 users.
The incident was reported after a threat actor, known by the alias 'DrOne', leaked the scraped database on Breach Forums, a notorious hub for cybercriminal activities, on November 8, 2023, according to Hackread.com
Chess.com, with a user base exceeding 150 million, experienced a data leak that comprises roughly 0.533% of its total users.
The database revealed on Breach Forums includes full names, usernames, profile links, email addresses, users' countries of origin, avatar URLs, universally unique identifiers (UUID), user IDs, and registration dates, with the latest sign-up recorded in September 2023.
New breach: Chess had over 800k user records scraped this week and published to a popular hacking forum. The data included email address, name, username and the geographic location of the user. 99% were already in @haveibeenpwned. Read more: https://t.co/neunBetNgR— Have I Been Pwned (@haveibeenpwned) November 10, 2023
Does not include passwords
While the leaked information does not include passwords, it represents a significant risk for phishing scams, identity theft and social engineering attacks.
This leak is particularly alarming given the validity and activity status of the email addresses involved, as confirmed by Hackread.com's attempt to sign up using these emails, which resulted in a notification stating, 'An account already exists with this email address'.
Web scraping, the method likely used to collect this data, is a challenge to prevent, especially for large sites like Chess.com.
Measures such as rate limiting and captcha challenges are often deployed, but scrapers continually develop new methods to bypass these defences.
Not the first cybersecurity issue
This is not the first cybersecurity issue for Chess.com. In February 2021, ethical hacker Sam Curry identified a critical vulnerability that could potentially grant access to any account, including administrative ones.
Given the nature of this breach, Chess.com users are advised to change passwords not only on Chess.com but also on other platforms where the same password may be used.
Additionally, users should exercise caution with emails containing links, verifying the real URL before clicking to avoid phishing scams.
This incident underscores the importance of robust cybersecurity measures and user vigilance in protecting personal information online.