
Article Update – VRChat has disputed the authenticity of the notice via an unofficial announcement on its Discord server. We are following this closely to update the post for accuracy.
Update 2 – VRChat has confirmed via a statement to CyberInsider that the submission of a data breach notice to the Maine AG office was not made by them, and the information listed on it is fabricated.
VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist.
We have no reason to believe that our data or systems have been compromised.
We are in the process of contacting the Maine Attorney General's office to have this removed. – VRChat spokesperson
Original article follows…
VRChat has disclosed a data breach affecting 2,436,782 users after attackers gained unauthorized access to data stored in the company's cloud environment.
The incident exposed account-related information, including email addresses, usernames, login history, and linked platform identifiers, though passwords and payment information were not compromised.
The disclosure submitted to the Maine Attorney General's Office reveals that the breach occurred between May 10 and May 12, 2026. According to the filing, VRChat discovered the unauthorized activity on May 12 and subsequently launched a forensic investigation with the assistance of external cybersecurity experts. The company said it immediately contained the intrusion upon detection and began assessing the scope of the exposure.
VRChat is a popular social virtual reality platform that allows users to interact through customizable avatars in user-created virtual worlds. Available on PC, VR, and standalone headsets, the service has built a large global community and offers premium subscription features through its VRChat+ program.
According to the notification sent to affected users, the attackers accessed certain user account information stored within VRChat's cloud infrastructure. The exposed data varied between accounts but may have included:
- VRChat usernames
- Email addresses associated with accounts
- VRChat+ subscription status
- Login history records containing device information
- Hardware identifiers
- IP addresses
- Steam or Meta account identifiers linked to VRChat profiles
The company stated that its investigation found no evidence that passwords were accessed during the breach. Additionally, payment card information and government-issued identification documents submitted through the platform's age verification process were reportedly not affected.
The nature of the intrusion was classified in the Maine filing as an “external system breach (hacking),” indicating that the exposure resulted from unauthorized access by a third party rather than an internal error or accidental disclosure.
VRChat said it will begin notifying impacted users electronically on June 12, 2026. Despite the large number of affected individuals, the company indicated in its filing that it is not offering identity theft protection or credit monitoring services to victims.
In its notice, VRChat emphasized that it has already implemented additional security controls following the incident. The company also reported engaging cybersecurity professionals to monitor for further malicious activity and to assist with strengthening its defenses.
While the exposed information does not appear to include financial data or passwords, the compromised records still elevate the risk of targeted phishing for impacted individuals. Users who receive a notification from VRChat should remain alert for suspicious emails, messages, or account-related communications that reference VRChat, Steam, or Meta services.







This has been debunked by the VRChat team on their discord. The email cited in the notice and the employee it belongs to do not exist.
https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/d52376c9-17af-4c12-8cde-592d1bec2912.html