VRChat has disclosed a data breach affecting 2,436,782 users after attackers gained unauthorized access to data stored in the company's cloud environment.
The incident exposed account-related information, including email addresses, usernames, login history, and linked platform identifiers, though passwords and payment information were not compromised.
The disclosure submitted to the Maine Attorney General's Office reveals that the breach occurred between May 10 and May 12, 2026. According to the filing, VRChat discovered the unauthorized activity on May 12 and subsequently launched a forensic investigation with the assistance of external cybersecurity experts. The company said it immediately contained the intrusion upon detection and began assessing the scope of the exposure.
VRChat is a popular social virtual reality platform that allows users to interact through customizable avatars in user-created virtual worlds. Available on PC, VR, and standalone headsets, the service has built a large global community and offers premium subscription features through its VRChat+ program.
According to the notification sent to affected users, the attackers accessed certain user account information stored within VRChat's cloud infrastructure. The exposed data varied between accounts but may have included:
- VRChat usernames
- Email addresses associated with accounts
- VRChat+ subscription status
- Login history records containing device information
- Hardware identifiers
- IP addresses
- Steam or Meta account identifiers linked to VRChat profiles
The company stated that its investigation found no evidence that passwords were accessed during the breach. Additionally, payment card information and government-issued identification documents submitted through the platform's age verification process were reportedly not affected.
The nature of the intrusion was classified in the Maine filing as an “external system breach (hacking),” indicating that the exposure resulted from unauthorized access by a third party rather than an internal error or accidental disclosure.
VRChat said it will begin notifying impacted users electronically on June 12, 2026. Despite the large number of affected individuals, the company indicated in its filing that it is not offering identity theft protection or credit monitoring services to victims.
In its notice, VRChat emphasized that it has already implemented additional security controls following the incident. The company also reported engaging cybersecurity professionals to monitor for further malicious activity and to assist with strengthening its defenses.
While the exposed information does not appear to include financial data or passwords, the compromised records still elevate the risk of targeted phishing for impacted individuals. Users who receive a notification from VRChat should remain alert for suspicious emails, messages, or account-related communications that reference VRChat, Steam, or Meta services.
Leave a Reply