VRChat says a widely reported breach notice claiming 2.4 million users were exposed is fake, and that it has no reason to believe its systems were compromised.
-
A breach notice filed with the Maine Attorney General claimed VRChat suffered a major data incident affecting most of its global user base.
-
The notice alleged that attackers accessed VRChat’s cloud environment and took usernames, emails, subscription status, login history, device details, hardware identifiers, and IP addresses.
-
VRChat said it did not submit the notice, and staff said the PDF was written by an employee who does not exist.
-
The case appears similar to a recent Discord breach claim, where fake contact details and missing customer notifications raised doubts about whether the incident was real.
A breach notification was filed with the Office of the Maine Attorney General, claiming that VRChat had suffered a data incident.
The notice said 2.4 million, the majority of VRChat’s global userbase, were compromised during the breach.
Data such as “name or other personal identifier in combination with…” was exposed, but little evidence was provided to support the claims.
Media everywhere jumped on the news, reporting that VRChat has exposed the personal data of the majority of its user base.
However, VRChat has denied that it ever suffered a data breach and that the notification submitted was fake.
Cybernews has reached out to VRChat for comment.
VRChat didn’t submit the data incident notices and has “no reason to believe that [it’s] systems have been compromised,” the company said on Reddit.
The notice included a PDF written and sent by an employee who doesn’t exist, according to VRChat staff.
The PDF has since been taken down, but, at the time of writing, the notice is still visible on the Attorney General’s website.
An actor posing as VRChat filed the notice, saying that the company had been breached between May 10th and May 12th.
The supposed hack involved unauthorized access to VRChat’s cloud environment, and the hacker allegedly took users’ login and profile data, according to Malwarebytes.
Data included VRChat usernames, email addresses, VRChat+ subscription statuses, and login history (device information, hardware identifiers, and IP addresses).
VRChat isn’t the first to be framed by unknown actors. Discord was accused of a breach that allegedly affected 10 million users.
Discord users were allegedly impacted by "insider wrongdoing," but the report was riddled with red flags suggesting it may be bogus.
Similar to VRChat, the entity responsible for the breach notification, a person named “Xavier Morrison,” provided fake contact information.
There was also no trace of customer notification emails, suggesting that an outside individual filed the notification just to stir up trouble.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked