VRChat Data Breach Exposes 2.4 Million Users' Profile and Device Data
Unauthorized access to VRChat's cloud environment between May 10-12, 2026, exposed usernames, emails, device info, and IP addresses of over 2.4 million users.
VRChat, Inc. has disclosed a data breach impacting more than 2.4 million users after an attacker gained unauthorized access to its cloud environment between May 10 and May 12, 2026. The social platform, which is designed primarily for virtual reality headsets and allows users to interact through user-created 3D avatars and worlds, filed a data breach notice detailing the exposure of user profile and login-related data.
The exposed information varied by account but may have included VRChat usernames, email addresses, VRChat+ subscription status, login history, device information, hardware identifiers, and IP addresses. Critically, VRChat explicitly states that passwords, credit card numbers or other payment information, and government ID documents used for age verification were not compromised in the incident.
While the absence of exposed passwords and payment card data means direct account takeover or card fraud is unlikely from this breach alone, the combination of identifiers creates significant secondary risks. Cybercriminals can use usernames and email addresses in targeted phishing campaigns, potentially impersonating VRChat support with fake security alerts or billing-related scams that exploit the user's subscription status. The login history and device information also enable credential stuffing attacks, where attackers combine VRChat usernames with passwords stolen from other breaches to gain unauthorized access to accounts.
Another notable risk involves identity correlation across platforms. Steam and Meta user IDs linked to VRChat accounts can help attackers connect identities across multiple gaming and social platforms, especially if users reuse the same email or profile name. IP addresses and hardware identifiers further enable the construction of detailed tracking profiles, potentially aiding in targeted advertising or broader surveillance.
In response to the breach, VRChat says it has implemented additional security controls and engaged cybersecurity professionals to monitor for further threats. The company advises affected users to be cautious of any emails, texts, or calls claiming to come from VRChat or associated gaming platforms, as cybercriminals often exploit data breaches with phishing attempts. Users who have reused their VRChat password elsewhere should change those accounts immediately, and setting up two-factor authentication on their VRChat account is strongly recommended.
This incident highlights the growing attack surface presented by social VR platforms, which collect a rich set of behavioral and hardware-identifying data that can be highly valuable for cybercriminals even without financial credentials. As virtual reality communities expand, the security of the underlying cloud infrastructure and user identity protections will become increasingly critical to protect against sophisticated phishing and identity theft campaigns targeting the metaverse ecosystem.