- Government presentation sparked panic over alleged exposure of VRChat user data
- VRChat denies any breach and calls the notice completely fabricated and misleading.
- The notice claims that millions of users are affected by access to the cloud system
Confusion has arisen around claims that millions of VRChat users were affected by a major data security incident after the official publication of a breach notice.
The notice alleged that data linked to more than 2.4 million users had been exposed following unauthorized access to the platform’s cloud environment between May 10 and 12, 2026.
However, VRChat has completely disputed the report, stating that it has no evidence that its systems, user data, or infrastructure was compromised.
VRChat Dispute Report Outlining Exposure of 2.4 Million Users
The controversy began after a data incident notice appeared through the Maine Attorney General’s office claiming that 2,436,782 users’ information had been leaked.
According to the notice, the exposed data includes usernames, email addresses, subscriber status, login histories, device details, hardware identifiers, IP addresses, and linked Steam or Meta account identifiers.
The document also indicates that passwords, payment card information, financial records and government identification documents used for age verification were not affected.
The alleged incident drew attention because VRChat is one of the largest virtual reality social platforms.
It serves millions of users who have created tens of millions of pieces of content since its launch in 2014.
However, VRChat has vehemently denied the authenticity of the report, calling it a “fake breach report.”
“VRChat did not send this Data Incident Notice and the employee/email cited does not exist,” said Charles Tupper, VRChat Community Lead.
“We have no reason to believe that our data or systems have been compromised. We are in the process of contacting the Maine Attorney General’s office to remove this.”
Doubts arise over authenticity of government presentation
Following the company’s response, increased scrutiny raised additional questions about the reported breach and its origins.
Attempts to verify the details listed in the notice encountered difficulties, including a no longer operational phone number and an email. address that produced no response.
Investigations also reportedly failed to identify records linking the named employee cited in the filing to VRChat.
The company said it was working with the Maine Attorney General’s office to remove the notice while seeking clarification on how the report appeared.
Had the reported intrusion been genuine, it would have represented one of the largest incidents revealed involving a virtual reality platform.
The alleged breach report also differed from many large-scale incidents because it made no mention of identity theft monitoring or credit protection services commonly offered after major data exposures.
For now, the dispute leaves an unusual situation in which a breach notice published by the government alleges a significant compromise while the company named in the document insists that no attack occurred.
According to VRChat’s rebuttal, this report appears to be a clerical error or a fabricated presentation.
The latter is most likely because the perpetrators reportedly fabricated a fake notice that appeared to come from VRChat and was supposedly sent to users.
Interestingly, the Maine Attorney General’s Office was forced to take its reporting portal offline after multiple false disclosures ended up on the website, including the VRChat incident.
Another fraudulent disclosure posing as Discord also ended up on the platform.
Through registration
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
