MrBeast-advertised calorie app Cal AI allegedly hacked: 3 million subscribers exposed

Published: 9 March 2026
Last updated: 12 March 2026
Cal AI app alleged leak
Image by Cybernews.

Cal AI, the viral calorie-tracking app endorsed by many celebrities, has allegedly suffered a massive data breach. A threat actor dumped nearly 15GB of data, including 3 million emails, personal and subscription details, and even “times of day users eat.” The incident has not yet been officially confirmed.

Key takeaways:
  • Over 3 million emails and personal details were exposed; hackers claim they breached Cal AI.
  • The exposed data allegedly includes sensitive details such as users' weights, dates of birth, subscription details, and even the times of day they eat.
  • The data can be abused to launch highly targeted social engineering attacks.

A threat actor going by the moniker “vibecodelegend” has claimed on the dark web that they breached the Cal AI app.

ADVERTISEMENT

On Monday, the hacker shared a post labeled “Calai.app – vibecoded slop calorie tracking app” and released eight files totaling 14.59GB of data. Vibe coding is a practice of using artificial assistance in software development.

“Just dumped the majority of the data from this insanely insecure app,” said the attacker using a new account on the infamous marketplace.

If the post is to be believed, the hacker exfiltrated the email addresses of over 3 million users, as well as other sensitive information such as height, weight, date of birth, gender, full name, social profiles, purchased subscriptions, transaction IDs, meals, exercise goals, and more.

Marcus Walsh profile Niamh Ancell BW Stefanie justinasv Eglė Kristopaityte Ernestas Naprys
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

“A lot more random info (like times of day users eat? lol?)” the hacker brags.

“No password info, sadly, as the app does not use passwords. Instead, they opted for a hyper-secure 4-digit numeric PIN. The login endpoint has no rate limit or captcha.”

The conversation on this topic is live. Join in the discussion.

ADVERTISEMENT

The attacker claims to have exploited an unauthenticated Google Firebase backend, noting that the company promised “to always keep your personal information private and secure.”

“Meanwhile entire subscription table can be read without authentication,” the post reads.

The Cybernews research team has reviewed the data and confirmed that it appears legitimate. We’ve reached out to Cal AI and MyFitnessPal for comment and will update the story with its response.

cal ai post

What’s in the leak

The dataset contains eight files, with user data as follows:

  • Weight: 3.5M lines, including user IDs and their weight. Some users have multiple records
  • User data: 3.2M lines, including user IDs, gender, sometimes date of birth, goal, macronutrient intakes, weight, height
  • Subscription details: about 3M lines, including user and transaction IDs, and emails. Some of the data is hidden by Apple's privacy features
  • Profiles: 350k records, including usernames, full names, and user achievements within the app
  • Settings: 5.2M lines, including userID and app settings
  • Meal logs: 14k lines, including userID and meal details
  • Groups: 22k lines, including group chat info, members, but no messages were exposed.
  • Conversions: 222k lines, including emails and user IDs

“The most sensitive information appears to be the contact information. Together with other details, it can be used to craft detailed user profiles for targeted social engineering attacks,” Cybernews researchers said.

The threat actor also claims it could’ve exfiltrated “all logged food information” but didn’t bother.

leaked data
ADVERTISEMENT

“It seems to me like mostly useless junk and is 3-5x the size of all the other data in the db combined. If I were to scrape all the images from it, it would easily be several terabytes,” the hacker explained.

The provided samples contain personal details of a user born in 2014, raising concerns about child data protection.

The compressed data is available to download for illicit forum users.

What is Cal AI?

Cal AI (calai.app) is an AI-powered calorie-tracking app that works by simply taking a picture of the food you're about to eat. It was acquired by fitness platform MyFitnessPal just a week ago.

The app went viral after a paid sponsorship with MrBeast (Jimmy Donaldson), one of YouTube's most-followed creators, and endorsements by many other influencers. It was downloaded over 15 million times.

cal ai app

According to TechCrunch, the startup was built by two high school teenagers. It has achieved an annual revenue of 30 million in under 2 years.

While the hacker mocks the app as “vibecoded slop,” the developers behind it have previously been noted for their hands-on, “old-fashioned” coding approach.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT