- The government’s filing sparked panic over alleged exposure of VRChat user data
- VRChat denies any breach and calls the message completely fabricated and misleading
- Notice claims that millions of users are affected by cloud system access
Confusion has arisen over claims that millions of VRChat users were affected by a major data security incident following an official release of a breach notification.
The announcement claimed that data linked to over 2.4 million users had been exposed following unauthorized access to the platform’s cloud environment between May 10 and May 12, 2026.
However, VRChat has disputed the report completely, stating that it has no evidence that its systems, user data or infrastructure were compromised.
The VRChat Disputes Report details the exposure of 2.4 million users
The controversy began after a data incident notice surfaced through the Maine Attorney General’s office, claiming that the information of 2,436,782 users had been leaked.
According to the announcement, the exposed data includes usernames, email addresses, subscriber status, login history, device details, hardware IDs, IP addresses, and linked Steam or Meta account IDs.
The document also stated that passwords, payment card information, financial records and government identification documents used for age verification were unaffected.
The alleged incident drew attention because VRChat is one of the largest social virtual reality platforms.
It serves millions of users who have created tens of thousands of content items since its launch in 2014.
However, VRChat has vehemently denied the authenticity of the report, calling it a “fake breakup report.”
“VRChat did not submit this data incident notification and the cited employee/email does not exist,” said Charles Tupper, VRChat’s Community Manager.
“We have no reason to believe that our data or systems have been compromised. We are in the process of contacting the Maine Attorney General’s office to have this removed.”
Questions are emerging about the authenticity of the government’s application
Following the company’s response, further investigation raised further questions surrounding the reported breach and its origin.
Attempts to verify the details of the message encountered problems, including a phone number that was no longer operational and an email address that gave no response.
Investigations also reportedly failed to identify records linking the named employee cited in the filing to VRChat.
The company said it was working with the Maine Attorney General’s office to have the message removed while they sought clarification on how the report appeared.
If the reported hack had been real, it would have represented one of the larger disclosed incidents involving a virtual reality platform.
The alleged breach report also differed from many large incidents because it did not mention identity theft monitoring or credit protection services commonly offered after major data exposures.
So far, the dispute leaves an unusual situation where a publicly released breach notice claims a major compromise, while the company named in the archive insists no attack took place.
From VRChat’s rebuttal, this report appears to be an administrative error or fabricated submission.
The latter is most likely due to the perpetrators allegedly manufacturing a fake message that appeared to come from VRChat and was allegedly sent to users.
Interestingly, the office of the Maine Attorney General was later forced to take its reporting portal offline after several false revelations ended up on the website — including the VRChat incident.
Another fraudulent disclosure impersonating Discord also ended up on the platform.
Via the registry
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
