Cybersecurity Alert: Hacker Claims Breach of Cal AI, Exposing 3 Million Users’ Data
A hacker operating under the alias vibecodelegend has claimed responsibility for breaching Cal AI, a popular AI-driven smartphone app that tracks calories and nutrition through food image analysis. The alleged breach was announced on March 9, 2026, via a post on the cybercrime marketplace BreachForums.
Cal AI, which recently acquired the widely used fitness app MyFitnessPal, has seen rapid growth in the health and nutrition tracking market. MyFitnessPal itself suffered a major breach in 2018, when hackers stole data from over 150 million users under its former owner, Under Armour.
According to the hacker, the stolen dataset contains 12 GB of personal data from over 3 million Cal AI users, including:
- Personal details: Names, dates of birth, genders, usernames, and social media profiles.
- Security-related data: PIN codes and subscription information.
- Physical attributes: Height and weight records.
- Behavioral data: Meal logs, calorie tracking, and eating habits, revealing sensitive lifestyle patterns.
- Email addresses: Over 2.8 million unique emails, with nearly 1.2 million linked to Apple’s Private Relay service, which masks users’ real addresses.
While Hackread.com analyzed the leaked data and found indications of credibility, Cal AI has not yet responded to requests for confirmation. The company remains the only authority that can verify the breach. If confirmed, the incident could expose a vast trove of personal and behavioral data, heightening risks of identity theft, phishing, and targeted exploitation.
The leaked data is already circulating on Russian-speaking platforms and Telegram channels known for distributing stolen information. No official statement has been issued by Cal AI at the time of reporting.
Source: https://hackread.com/cal-ai-myfitnesspal-data-breach-3m-users/
Cal AI cybersecurity rating report: https://www.rankiteo.com/company/cal-ai-app
"id": "CAL1773182085",
"linkid": "cal-ai-app",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '3 million',
'industry': 'Health and Nutrition Tracking',
'name': 'Cal AI',
'type': 'Company'}],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '3 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal details (names, dates '
'of birth, genders, usernames, '
'social media profiles)',
'Security-related data (PIN '
'codes, subscription '
'information)',
'Physical attributes (height and '
'weight records)',
'Behavioral data (meal logs, '
'calorie tracking, eating '
'habits)',
'Email addresses (2.8 million '
'unique emails, 1.2 million '
'linked to Apple’s Private '
'Relay)']},
'date_detected': '2026-03-09',
'date_publicly_disclosed': '2026-03-09',
'description': 'A hacker operating under the alias *vibecodelegend* has '
'claimed responsibility for breaching Cal AI, a popular '
'AI-driven smartphone app that tracks calories and nutrition '
'through food image analysis. The alleged breach was announced '
'on March 9, 2026, via a post on the cybercrime marketplace '
'BreachForums. The stolen dataset contains 12 GB of personal '
'data from over 3 million Cal AI users, including personal '
'details, security-related data, physical attributes, '
'behavioral data, and email addresses.',
'impact': {'brand_reputation_impact': 'Potential reputational damage',
'data_compromised': '12 GB of personal data',
'identity_theft_risk': 'Heightened risk of identity theft and '
'phishing'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (Russian-speaking '
'platforms and Telegram '
'channels)'},
'investigation_status': 'Ongoing',
'references': [{'date_accessed': '2026-03-09', 'source': 'BreachForums'},
{'source': 'Hackread.com'}],
'threat_actor': 'vibecodelegend',
'title': 'Hacker Claims Breach of Cal AI, Exposing 3 Million Users’ Data',
'type': 'Data Breach'}