- Government filing triggered panic over alleged VRChat user data exposure
- VRChat denies any breach, calling the notice completely fabricated and misleading
- Notice claims millions of users affected through cloud system access
Confusion has emerged around claims that millions of VRChat users were affected by a major data security incident after an official publication of a breach notice.
The notice alleged that data linked to over 2.4 million users had been exposed following unauthorized access to the platform’s cloud environment between May 10 and May 12 2026.
However, VRChat has disputed the report entirely, stating that it has no evidence that its systems, user data, or infrastructure were compromised.
VRChat disputes report describing exposure of 2.4 million users
The controversy began after a data incident notice appeared through the Maine Attorney General’s office claiming that the information of 2,436,782 users had been leaked.
According to the notice, the exposed data includes usernames, email addresses, subscriber status, login histories, device details, hardware identifiers, IP addresses, and linked Steam or Meta account identifiers.
The document also stated that passwords, payment card information, financial records, and government identification documents used for age verification were unaffected.
The alleged incident attracted attention because VRChat is one of the largest social virtual reality platforms.
It serves millions of users who have created tens of millions of content items since launching in 2014.
However, VRChat has vehemently denied the authenticity of the report, calling it a “fake breach report.”
“VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist,” said Charles Tupper, VRChat’s head of community.
