The virtual-reality social platform VRChat has disclosed a data breach affecting more than 2.4 million users. In a breach notice, the company said an attacker gained unauthorized access to some account data in its cloud environment between May 10 and May 12, 2026.
What was exposed
The information varied by account but could include a user's VRChat username, the email address tied to the account, VRChat+ subscription status, and login history, including device information, hardware identifiers, and IP addresses. VRChat stated that passwords, credit card numbers and other payment information, and the government ID documents used for age verification were not compromised.
VRChat is a popular social app for virtual-reality headsets, where users interact through custom 3D avatars and worlds. It is reachable through Steam on PC, the Meta Quest Store, and as an Android app, which means many accounts are linked to other gaming identities.
Why it matters
With no passwords or card data taken, direct payment fraud from this breach alone is unlikely. But the combination of emails, usernames, and device and network identifiers still creates real risk. The most immediate is phishing: criminals can craft convincing lures that appear to come from "VRChat Support," and knowledge of a user's VRChat+ subscription status makes fake billing or refund scams more believable.
There is also a credential-stuffing risk. Attackers routinely pair leaked email addresses with passwords stolen in unrelated breaches and replay them against accounts, which works whenever people reuse passwords. Finally, linked Steam and Meta identifiers can help correlate a person's identity across multiple platforms, building a fuller profile of an individual.
What affected users should do
VRChat says it has added security controls and engaged outside professionals to monitor for further threats. Affected users should be wary of unexpected emails, texts, or calls claiming to come from VRChat or the platforms they used to access it. Anyone who reused their VRChat password elsewhere should change it on those other accounts now, and enable two-factor authentication on the VRChat account if they have not already.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.