VRChat Data Breach Compromises Over 2.4 Million User Accounts

VRChat Inc., the San Francisco-based company behind the popular online social platform VRChat, disclosed a data breach that affected approximately 2,436,782 individuals in the United States, including 8,607 Maine residents.

VRChat first reported the breach to the Maine Attorney General on June 10, 2026. The company plans to begin notifying affected consumers electronically on June 12, 2026.

VRChat discovered unauthorized access to certain data stored in its cloud environment in May 2026. Upon detecting the suspicious activity, the company contained the access and launched a forensic investigation with the help of outside cybersecurity experts.

The investigation determined that an unauthorized third party accessed certain user account information between May 10 and 12, 2026.

The types of information exposed varied by account and may have included some or all of the following: VRChat usernames, email addresses associated with VRChat accounts, VRChat+ subscription status, login history (including device type, hardware identifiers and IP addresses), and Steam or Meta user IDs linked to VRChat accounts.

According to the company's notification, the unauthorized party did not access passwords, credit card numbers or payment information and government identification documents used in VRChat's age verification process.

VRChat's response to the breach

Although no passwords or financial data were exposed, the breach still included information that could potentially be misused. The company urges users to watch for phishing attempts, warning that bad actors may send unsolicited messages posing as VRChat to try to collect sensitive information.

Individuals who have questions about this incident can contact VRChat Inc. by email at security@vrchat.com or by mail at VRChat Inc., 548 Market St. #93053, San Francisco, CA 94104.