{"id":230248,"date":"2026-06-11T08:25:00","date_gmt":"2026-06-11T12:25:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/11\/breach-notification-filed-for-vrchat-but-vrchat-says-it-never-happened\/"},"modified":"2026-06-11T16:05:42","modified_gmt":"2026-06-11T20:05:42","slug":"breach-notification-filed-for-vrchat-but-vrchat-says-it-never-happened","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/11\/breach-notification-filed-for-vrchat-but-vrchat-says-it-never-happened\/","title":{"rendered":"Breach notification filed for VRChat. But VRChat says it never happened"},"content":{"rendered":"<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/data-breaches\/2026\/06\/data-of-2-4-million-vrchat-users-stolen\">Breach notification filed for VRChat. But VRChat says it never happened<\/a><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/data-breaches\/2026\/06\/data-of-2-4-million-vrchat-users-stolen\">https:\/\/www.malwarebytes.com\/blog\/data-breaches\/2026\/06\/data-of-2-4-million-vrchat-users-stolen<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-11 08:25:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.malwarebytes.com\">www.malwarebytes.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>VRChat, Inc. has filed a data breach notice revealing that the information of more than 2.4 million users was involved in a data breach. <\/p>\n<p>Update June 11, 2026<\/p>\n<p>Or did someone pretending to represent the company post this data breach notice? On Reddit a VRChat representative posted:<\/p>\n<p>VRChat did not submit this Notice of Data Incident, and we have no reason to believe that our systems have been compromised. We are in the process of contacting the Maine Attorney General\u2019s office to have this removed.<\/p>\n<p>Before publishing our original article, we tried to contact VRChat on two separate email addresses but received no meaningful responses.<\/p>\n<p>According to the notice, VRChat experienced unauthorized access to some account data between May 10 and May 12, 2026. The access supposedly happened in VRChat\u2019s cloud environment and involved user profile and login-related data.<\/p>\n<p>The information exposed varied by account, but may have included:<\/p>\n<p>VRChat username<\/p>\n<p>Email address associated with the VRChat account<\/p>\n<p>VRChat+ subscription status<\/p>\n<p>Login history, including device information, hardware identifiers, and IP addresses<\/p>\n<p>VRChat explicitly states that passwords, credit card numbers or other payment information, and government ID documents used for age verification were not compromised.<\/p>\n<p>VRChat is a social platform designed primarily for virtual reality headsets, allowing users to interact with others through user-created 3D avatars and worlds.\u00a0Users can access VRChat through Steam for PC, the Meta Quest Store, or as an Android app for compatible devices.<\/p>\n<p>With no passwords or payment card data exposed, direct card fraud or immediate takeover of payment methods via this breach alone is unlikely. But even without passwords or card data, the combination of identifiers, emails, and IP\/device data creates several risks for affected users.<\/p>\n<p>Potential risks<\/p>\n<p>Phishing<\/p>\n<p>Cybercriminals may use VRChat usernames and email addresses in targeted phishing attempts. For example, users may receive phishing emails or in\u2011platform messages claiming to be from \u201cVRChat Support,\u201d with fake security alerts or prompts to \u201cconfirm your age verification\u201d via a malicious link.<\/p>\n<p>Knowledge of VRChat+ subscription status could make scams more convincing. A scammer could send tailored lures like \u201cbilling issue with your VRChat+ subscription\u201d or refund scams, which tend to have higher click-through rates among paying users.<\/p>\n<p>Account take-over<\/p>\n<p>Cybercriminals may combine usernames and email addresses from this breach with passwords stolen in other data breaches and try them against VRChat accounts. This technique, known as credential stuffing, takes advantage of people who reuse passwords across multiple sites.<\/p>\n<p>Valuable accounts may then be sold to other players or used for scams.<\/p>\n<p>Identity correlation<\/p>\n<p>Steam and Meta user IDs linked to VRChat accounts can help cybercriminals connect identities across gaming and social platforms, especially if the same email or profile name is reused.<\/p>\n<p>IP addresses, login history, device information, and other identifiers can also help build a more detailed advertising or tracking profile of a user.<\/p>\n<p>How to stay safe<\/p>\n<p>VRChat says it has implemented additional security controls and engaged professionals to monitor for further threats. If you were affected by the breach, here are some steps you can take to protect yourself:<\/p>\n<p>First and foremost, be cautious of emails, texts, or calls claiming to come from VRChat or the gaming platforms you used it on, as cybercriminals often exploit breaches with phishing scams.<\/p>\n<p>If you\u2019ve used your VRChat password anywhere else, change those accounts immediately, and set up two-factor authentication (2FA) on your VRChat account if you haven\u2019t already. <\/p>\n<p>More general advice can be found in our article on\u00a0what to do when you find out you\u2019re involved in a data breach.<\/p>\n<p>Let\u2019s\u00a0face it, an incognito window can only do so much.\u00a0\u00a0Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection\u00a0monitors for all of it, alerts you fast, and comes with identity theft insurance.\u00a0<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Breach notification filed for VRChat. But VRChat says it never happened https:\/\/www.malwarebytes.com\/blog\/data-breaches\/2026\/06\/data-of-2-4-million-vrchat-users-stolen Publish Date: 2026-06-11&#8230;<\/p>\n","protected":false},"author":1,"featured_media":230249,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2026\/06\/VRChat_logo.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,31,25],"class_list":["post-230248","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-exploit","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230248"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=230248"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230248\/revisions"}],"predecessor-version":[{"id":230250,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230248\/revisions\/230250"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/230249"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=230248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=230248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=230248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}