VRChat Data Breach Exposes 2.4 Million Users’ Account Information
VRChat, a virtual reality social platform, disclosed a data breach affecting over 2.4 million users after unauthorized access occurred in its cloud environment between May 10 and May 12, 2026. The exposed data includes usernames, associated email addresses, VRChat+ subscription status, login history, device information, hardware identifiers, and IP addresses though passwords, payment details, and government ID documents were not compromised.
The breach poses several risks, including targeted phishing attacks leveraging stolen usernames and emails, credential stuffing (where attackers test passwords from other breaches), and identity correlation across gaming and social platforms using linked Steam or Meta IDs. While direct financial fraud is unlikely due to the absence of payment data, the exposed information could enable scams, account takeovers, and enhanced tracking of affected users.
VRChat has implemented additional security measures and is monitoring for further threats. The platform is accessible via Steam, Meta Quest Store, and Android devices, with users interacting through custom 3D avatars and virtual worlds.
Source: https://www.malwarebytes.com/blog/data-breaches/2026/06/data-of-2-4-million-vrchat-users-stolen
VRChat Inc. cybersecurity rating report: https://www.rankiteo.com/company/vrchat
"id": "VRC1781180852",
"linkid": "vrchat",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '2.4 million users',
'industry': 'Virtual Reality/Social Platform',
'name': 'VRChat',
'type': 'Company'}],
'attack_vector': 'Unauthorized access to cloud environment',
'customer_advisories': 'Users advised to be cautious of phishing attacks and '
'credential stuffing',
'data_breach': {'number_of_records_exposed': '2.4 million',
'personally_identifiable_information': 'Yes (usernames, email '
'addresses, IP '
'addresses, '
'device/hardware '
'identifiers)',
'sensitivity_of_data': 'Moderate (no passwords or payment '
'details, but includes PII)',
'type_of_data_compromised': ['Usernames',
'Email addresses',
'VRChat+ subscription status',
'Login history',
'Device information',
'Hardware identifiers',
'IP addresses']},
'date_detected': '2026-05-12',
'description': 'VRChat, a virtual reality social platform, disclosed a data '
'breach affecting over 2.4 million users after unauthorized '
'access occurred in its cloud environment between May 10 and '
'May 12, 2026. The exposed data includes usernames, associated '
'email addresses, VRChat+ subscription status, login history, '
'device information, hardware identifiers, and IP addresses. '
'Passwords, payment details, and government ID documents were '
'not compromised. The breach poses risks including targeted '
'phishing attacks, credential stuffing, and identity '
'correlation across gaming and social platforms.',
'impact': {'brand_reputation_impact': 'Potential impact due to data exposure',
'data_compromised': 'Usernames, email addresses, VRChat+ '
'subscription status, login history, device '
'information, hardware identifiers, IP '
'addresses',
'identity_theft_risk': 'High (phishing, credential stuffing, '
'identity correlation)',
'payment_information_risk': 'None (payment details not '
'compromised)',
'systems_affected': 'Cloud environment'},
'response': {'enhanced_monitoring': 'Monitoring for further threats',
'remediation_measures': 'Additional security measures '
'implemented'},
'title': 'VRChat Data Breach Exposes 2.4 Million Users’ Account Information',
'type': 'Data Breach'}