- Government filing sparked panic over alleged exposure of VRChat user data
- VRChat denies any violation, calling the review completely fabricated and misleading
- Advisory Claims Millions of Users Affected by Cloud System Access
Confusion has arisen around claims that millions of VRChat users were affected by a major data security incident after a breach notice was officially released.
The notice alleged that data related to over 2.4 million users was exposed following unauthorized access to the platform’s cloud environment between May 10 and 12, 2026.
However, VRChat fully disputed the report, saying it had no evidence that its systems, user data, or infrastructure had been compromised.
VRChat Dispute Report Describing Exposure to 2.4 Million Users
The controversy began after a data incident notice appeared from the Maine Attorney General’s office claiming that the information of 2,436,782 users had been leaked.
According to the advisory, the exposed data includes usernames, email addresses, subscriber status, login histories, device details, hardware identifiers, IP addresses, and linked Steam or Meta account identifiers.
The document also stated that passwords, payment card information, financial records and government identification documents used for age verification were not affected.
The alleged incident attracted attention because VRChat is one of the largest virtual reality social platforms.
It serves millions of users who have created tens of millions of pieces of content since its launch in 2014.
However, VRChat vehemently denied the authenticity of the report, calling it a “false breach report.”
“VRChat has not submitted this data incident notice, and the cited employee/email does not exist,” said VRChat Community Manager Charles Tupper.
“We have no reason to believe that our data or systems have been compromised. We are in the process of contacting the Maine Attorney General’s Office to have this information removed.”
Questions emerge over authenticity of government dossier
Following the company’s response, further review raised additional questions regarding the reported breach and its origins.
Attempts to verify the details listed in the notice encountered difficulties, including a phone number that was no longer operational and an email. address which produced no response.
Investigations also reportedly failed to identify documents linking the named employee cited in the filing to VRChat.
The company said it was working with the Maine attorney general’s office to have the notice removed while seeking clarification on how the report came to exist.
If the reported intrusion had been genuine, it would have represented one of the most significant incidents involving a virtual reality platform.
The alleged breach report also differed from many large-scale incidents because it did not mention identity theft monitoring or credit protection services commonly offered after major data exposures.
For now, the dispute leaves room for an unusual situation in which a breach notice issued by the government alleges a major compromise while the company named in the filing insists no attack took place.
Based on VRChat’s rebuttal, this report appears to be an administrative error or a fabricated submission.
The latter case is most likely due to the fact that the perpetrators fabricated a fake notification appearing to come from VRChat and which was sent to users.
Oddly enough, the Maine Attorney General’s office was later forced to take its reporting portal offline after several false disclosures ended up on the website, including the VRChat incident.
Another fraudulent disclosure impersonating Discord also made its way onto the platform.
Via the register
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
