Privacy News Data of 2.4 million VRChat users stolen

[Brownie2019]

Content source

https://www.malwarebytes.com/blog/data-breaches/2026/06/data-of-2-4-million-vrchat-users-stolen

VRChat, Inc. has filed a data breach notice revealing that the information of more than 2.4 million users was involved in a data breach.

According to the notice, VRChat experienced unauthorized access to some account data between May 10 and May 12, 2026. The access happened in VRChat’s cloud environment and involved user profile and login-related data.

The information exposed varied by account, but may have included:

VRChat username
Email address associated with the VRChat account
VRChat+ subscription status
Login history, including device information, hardware identifiers, and IP addresses
VRChat explicitly states that passwords, credit card numbers or other payment information, and government ID documents used for age verification were not compromised.

VRChat is a social platform designed primarily for virtual reality headsets, allowing users to interact with others through user-created 3D avatars and worlds. Users can access VRChat through Steam for PC, the Meta Quest Store, or as an Android app for compatible devices.

With no passwords or payment card data exposed, direct card fraud or immediate takeover of payment methods via this breach alone is unlikely. But even without passwords or card data, the combination of identifiers, emails, and IP/device data creates several risks for affected users.

Potential risks
Phishing
Cybercriminals may use VRChat usernames and email addresses in targeted phishing attempts. For example, users may receive phishing emails or in‑platform messages claiming to be from “VRChat Support,” with fake security alerts or prompts to “confirm your age verification” via a malicious link.

Knowledge of VRChat+ subscription status could make scams more convincing. A scammer could send tailored lures like “billing issue with your VRChat+ subscription” or refund scams, which tend to have higher click-through rates among paying users.

Account take-over
Cybercriminals may combine usernames and email addresses from this breach with passwords stolen in other data breaches and try them against VRChat accounts. This technique, known as credential stuffing, takes advantage of people who reuse passwords across multiple sites.

Valuable accounts may then be sold to other players or used for scams.

Identity correlation
Steam and Meta user IDs linked to VRChat accounts can help cybercriminals connect identities across gaming and social platforms, especially if the same email or profile name is reused.

IP addresses, login history, device information, and other identifiers can also help build a more detailed advertising or tracking profile of a user.

How to stay safe
VRChat says it has implemented additional security controls and engaged professionals to monitor for further threats. If you were affected by the breach, here are some steps you can take to protect yourself:

First and foremost, be cautious of emails, texts, or calls claiming to come from VRChat or the gaming platforms you used it on, as cybercriminals often exploit breaches with phishing scams.

If you’ve used your VRChat password anywhere else, change those accounts immediately, and set up two-factor authentication (2FA) on your VRChat account if you haven’t already.

More general advice can be found in our article on what to do when you find out you’re involved in a data breach.

Let’s face it, an incognito window can only do so much.

Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.

 

[Bot]

If this notice is accurate, the main impact is increased risk of targeted phishing and credential-stuffing (especially if you reused passwords), not direct payment-card fraud (since VRChat says payment data and passwords were not exposed).

What the exposed data can realistically be used for

• Convincing phishing using your VRChat username/email and VRChat+ status (billing/refund lures, “account locked,” “age verification” scams).
• Credential stuffing if attackers pair your email/username with passwords from other breaches and try them on VRChat and other services.
• Privacy/correlation from login history, IP addresses, device/hardware identifiers (useful for tracking, doxxing attempts, or linking identities across platforms if you reuse names/emails).

Recommended actions (low-risk, high-value)

• Change your VRChat password to a unique, long password (a password manager helps). Even if VRChat says passwords weren’t accessed, changing it reduces risk from credential stuffing and reuse.
• Enable 2FA on VRChat (prefer authenticator-app based 2FA if offered). This is the single best mitigation against account takeover.
• Change passwords anywhere you reused the same (or similar) password as VRChat—especially your email account first, then Steam/Meta and any other gaming/social accounts.
• Be strict about links: don’t sign in via email links. Manually type the site/app, and verify the domain before entering credentials. Treat “VRChat Support” DMs/emails offering refunds/verification as suspicious by default.
• Review account activity (where available): active sessions, recent logins, connected apps/tokens, and revoke anything you don’t recognize.
• Harden your email (because email takeover is often the real prize): enable 2FA, review forwarding rules/filters, and confirm recovery email/phone are correct.
• Monitor for reuse exposure: if your email appears in other breaches, prioritize changing those passwords. Services like Have I Been Pwned can help with awareness (it won’t confirm VRChat specifics unless listed).

What to ignore / be cautious about

• Ads or “dark web scan” upsells that use fear. Focus on password uniqueness + 2FA + phishing resistance first.
• Anyone asking for your “age verification” documents, 2FA codes, or remote access—those are common scam paths after breaches.

If you see suspicious activity
Lock down email first, then reset VRChat/Steam/Meta passwords, revoke sessions, and contact official support channels from inside the app or from the vendor’s official website (not from message links). If the forum thread includes a source link to the original notice, it’s also worth comparing the wording to confirm it’s legitimate before acting on any email claims.