VRChat denies – A data breach notice filed with the Maine Attorney General says more than 2.4 million VRChat users were affected, citing alleged unauthorized access to account data between May 10 and May 12, 2026. VRChat says it did not submit the notice and says there’s no r
A breach alert landed with the Maine Attorney General alleging that more than 2.4 million VRChat users had their data exposed. And almost immediately, a different kind of alarm spread alongside it: a question about who actually filed the notice.
On Reddit, a VRChat representative wrote that VRChat did not submit the “Notice of Data Incident,” adding, “we have no reason to believe that our systems have been compromised.” The representative said VRChat is “in the process of contacting the Maine Attorney General’s office to have this removed.”
The notice claims VRChat experienced unauthorized access to some account data between May 10 and May 12, 2026. It says the access occurred in VRChat’s cloud environment and involved user profile and login-related data.
What the notice says was potentially exposed varies by account, but it may have included a VRChat username, an email address associated with a VRChat account, VRChat+ subscription status, and login history—including device information, hardware identifiers, and IP addresses.
The notice states that no passwords or payment card data was exposed.
VRChat is a social platform designed primarily for virtual reality headsets, where people interact using user-created 3D avatars and worlds. Users can access VRChat through Steam for PC, the Meta Quest Store, or as an Android app for compatible devices.
Even if passwords or payment cards weren’t taken, the potential harm can still be real. Usernames and email addresses can be used for targeted phishing attempts. Attackers may send emails or in-platform messages that appear to come from “Support. ” with fake security alerts or prompts to “confirm your age” through a malicious link.
Subscription status is another lure. Scammers can tailor messages like “billing issue with your subscription” or run refund scams that tend to get higher click-through rates among paying users.
There’s also the risk of account takeover through credential stuffing. Cybercriminals can pair usernames and email addresses from one breach with passwords stolen from other data breaches, then test those credentials against accounts.
And identifiers tied to gaming and social profiles can help build a bigger picture for cybercriminals. When Steam and Meta user IDs are linked to breached accounts—especially when the same email or profile name is reused—attackers can correlate identities across platforms. Login history. IP addresses. device information. and other identifiers can also be used to develop more detailed tracking or advertising profiles.
For users deciding what to do right now. the practical advice doesn’t hinge on whether the notice turns out to be accurate or not. Be cautious of emails. texts. or calls claiming to be from VRChat or from the gaming platforms used to access it. If you’ve used your VRChat password anywhere else. change those accounts immediately and set up two-factor authentication (2FA) on your VRChat account if you haven’t already.
The question hanging over all of this is simple and uncomfortable: if VRChat’s systems weren’t compromised. how did the notice reach the Maine Attorney General in the first place?. VRChat’s representative says the company has no reason to believe the breach claim is true and is working to remove the filing.
Update June 11, 2026: The article was updated to reflect VRChat’s post on Reddit.
Before publishing the original report, attempts were made to contact VRChat on two separate email addresses, but no meaningful response was received.
(Separate monitoring and identity protection messaging referencing “incognito,” “dark web trading,” and “credit fraud” was included in the source material.)
VRChat data breach notice Maine Attorney General unauthorized access account data phishing credential stuffing 2FA VRChat+