- Government filing triggered panic over alleged VRChat user data exposure
- VRChat denies any breach, calling the notice completely fabricated and misleading
- Notice claims millions of users affected through cloud system access
Confusion has emerged around claims that millions of VRChat users were affected by a major data security incident after an official publication of a breach notice.
The notice alleged that data linked to over 2.4 million users had been exposed following unauthorized access to the platform's cloud environment between May 10 and May 12 2026.
However, VRChat has disputed the report entirely, stating that it has no evidence that its systems, user data, or infrastructure were compromised.
VRChat disputes report describing exposure of 2.4 million users
The controversy began after a data incident notice appeared through the Maine Attorney General's office claiming that the information of 2,436,782 users had been leaked.
According to the notice, the exposed data includes usernames, email addresses, subscriber status, login histories, device details, hardware identifiers, IP addresses, and linked Steam or Meta account identifiers.
The document also stated that passwords, payment card information, financial records, and government identification documents used for age verification were unaffected.
The alleged incident attracted attention because VRChat is one of the largest social virtual reality platforms.
It serves millions of users who have created tens of millions of content items since launching in 2014.
However, VRChat has vehemently denied the authenticity of the report, calling it a “fake breach report.”
"VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist,” said Charles Tupper, VRChat's head of community.
“We have no reason to believe that our data or systems have been compromised. We are in the process of contacting the Maine Attorney General's office to have this removed."
Questions emerge over the authenticity of the government filing
Following the company's response, further scrutiny raised additional questions surrounding the reported breach and its origins.
Attempts to verify details listed within the notice encountered difficulties, including a phone number that was no longer operational and an email address that produced no response.
Investigations also reportedly failed to identify records linking the named employee cited within the filing to VRChat.
The company said it was working with the Maine Attorney General's office to have the notice removed while seeking clarification regarding how the report appeared.
Had the reported intrusion been genuine, it would have represented one of the larger disclosed incidents involving a virtual reality platform.
The alleged breach report also differed from many large-scale incidents because it did not mention identity theft monitoring or credit protection services commonly offered after major data exposures.
For now, the dispute leaves an unusual situation in which a government-published breach notice alleges a major compromise while the company named in the filing insists no attack occurred.
From VRChat’s rebuttal, this report seems to be an administrative error or a fabricated submission.
The latter is most likely because the perpetrators reportedly fabricated a fake notice that appeared to come from VRChat and was allegedly sent to users.
Intriguingly, the Office of the Maine Attorney General was later forced to pull its reporting portal offline after multiple fake disclosures ended up on the website - including the VRChat incident.
Another fraudulent disclosure impersonating Discord also ended up on the platform.
Via The Register
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.