A data breach notice has been filed with the Maine Attorney General, saying more than 2.4 million users of VRChat have had their data breached.
The question is, was it VRChat who filed the breach notice, or did someone pretending to represent the company post it instead? On Reddit, a VRChat representative posted:
VRChat did not submit this Notice of Data Incident, and we have no reason to believe that our systems have been compromised. We are in the process of contacting the Maine Attorney General’s office to have this removed.
The breach notice states that VRChat experienced unauthorized access to some account data between May 10 and May 12, 2026. The access supposedly happened in VRChat’s cloud environment and involved user profile and login-related data.
According to the notice, the information exposed varied by account, but may have included:
- VRChat username
- Email address associated with the VRChat account
- VRChat+ subscription status
- Login history, including device information, hardware identifiers, and IP addresses
VRChat is a social platform designed primarily for virtual reality headsets, allowing users to interact with others through user-created 3D avatars and worlds. Users can access VRChat through Steam for PC, the Meta Quest Store, or as an Android app for compatible devices.
The notice states that no passwords or payment card data was exposed. However, even without passwords or card details, there are still potential risks when it comes to other breached data.
Phishing
Cybercriminals may use usernames and email addresses in targeted phishing attempts. For example, users may receive phishing emails or in‑platform messages claiming to be from “Support,” with fake security alerts or prompts to “confirm your age” via a malicious link.
Knowledge of subscription status could make scams more convincing. A scammer could send tailored lures like “billing issue with your subscription” or refund scams, which tend to have higher click-through rates among paying users.
Account takeover
Cybercriminals may combine usernames and email addresses from one breach with passwords stolen in other data breaches and try them against accounts. This technique, known as credential stuffing, takes advantage of people who reuse passwords across multiple sites.
Valuable accounts may then be sold to other players or used for scams.
Identity correlation
Steam and Meta user IDs linked to breached accounts can help cybercriminals connect identities across gaming and social platforms, especially if the same email or profile name is reused.
IP addresses, login history, device information, and other identifiers can also help build a more detailed advertising or tracking profile of a user.
How to stay safe
Whether or not the breach turns out to be an actual breach, here are some steps you can take to protect yourself:
First and foremost, be cautious of emails, texts, or calls claiming to come from VRChat or the gaming platforms you used it on, as cybercriminals often exploit breaches with phishing scams.
If you’ve used your VRChat password anywhere else, change those accounts immediately, and set up two-factor authentication (2FA) on your VRChat account if you haven’t already.
More general advice can be found in our article on what to do when you find out you’re involved in a data breach.
Update June 11, 2026: Article was updated to reflect VRChat’s post on Reddit.
Before publishing our original article, we tried to contact VRChat on two separate email addresses but received no meaningful response.
Let’s face it, an incognito window can only do so much.
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.
