VRChat, Inc. Data Breach Investigation

Data Breach Blog

Data Breach

VRChat, Inc. Data Breach Investigation

Almeida Law Group Calendar Icon

Date of data breach:

June 11, 2026

by: Almeida Law Group

Almeida Law Group is investigating a data breach at VRChat, Inc. The breach occurred on 05/10/2026 and was discovered on 05-12-2026. If you were affected, contact Almeida Law Group.

About VRChat, Inc.

VRChat, Inc. is a San Francisco, California-based company that operates an online social virtual reality platform allowing users to interact through user-created 3D avatars and virtual worlds. The platform supports VR headsets as well as desktop and mobile modes and offers a subscription service called VRChat+. Founded in 2014 and having raised approximately $96 million in funding, VRChat had over 2.4 million users affected by this breach. The compromised data includes account identifiers, email addresses, login history, hardware identifiers, IP addresses, and linked Steam or Meta user IDs — information that could be used to track or identify users across platforms, which is a particular concern for a community where many users rely on pseudonymity.

What Happened?

VRChat, Inc. was listed in a Maine Attorney General data breach filing reported on June 10, 2026. The incident is described as an external system breach involving unauthorized hacking. According to the filing and VRChat’s own breach notice, an unauthorized third party accessed user account data stored in VRChat’s cloud environment between May 10 and May 12, 2026. The breach was discovered on May 12, 2026, and VRChat states it immediately contained the suspicious activity and engaged cybersecurity professionals to conduct a forensic investigation. A total of 2,436,782 persons were affected. Consumer notifications were sent electronically on or around June 12, 2026 — approximately 31 days after discovery. VRChat did not offer identity theft protection services to affected individuals.

The compromised data may have included VRChat usernames, email addresses, VRChat+ subscription status, login history (including device information, hardware identifiers, and IP addresses), and Steam or Meta user IDs linked to VRChat accounts. VRChat confirmed that passwords, payment information, and government identification documents used for age verification were not compromised. No ransomware group or specific threat actor has been publicly identified in connection with this incident. No class action litigation had been filed as of the time of this writing, though the large number of affected users and the absence of offered identity protection services could make this an attractive target for future claims.

Key Facts at a Glance

  • Company or Organization: VRChat, Inc.
  • Industry: Social virtual reality platform / Online gaming and interactive entertainment
  • Location: San Francisco, California
  • Incident type: External system breach (hacking)
  • Date of breach: May 10, 2026
  • Date breach discovered: May 12, 2026
  • Date of consumer notification: June 12, 2026
  • Total persons affected: 2,436,782
  • Identity theft protection offered: No
  • Source: Maine AG Data Breach Filing – VRChat; VRChat – Wikipedia; Tracxn – VRChat

What Should You Do?

If you received a notice from VRChat, there are several practical steps you can take now. Because VRChat did not offer identity theft protection services, you should consider placing a free fraud alert or credit freeze with the three major credit bureaus — Equifax, Experian, and TransUnion — to reduce the risk of someone opening new accounts in your name. Review your VRChat account for unrecognized logins and change your password to something strong and unique; enable two-factor authentication wherever it is available. Because exposed data includes email addresses, hardware identifiers, and linked Steam or Meta account IDs, be alert to phishing emails or messages that appear to come from VRChat or connected platforms. You can request a free annual credit report at AnnualCreditReport.com, and if you suspect misuse of your personal information, visit IdentityTheft.gov for guidance from the Federal Trade Commission.

Your Legal Rights

If your personal information was involved in this breach, you may have legal rights depending on the facts of the incident and the law in your state. Almeida Law Group represents consumers in data breach and privacy litigation and can help you evaluate whether you may have a claim. Contact us at (708) 529-5418 or through our contact page for a free case evaluation.

Were You a Victim of a Data Breach?

"*" indicates required fields

By clicking the SEND button and submitting this form, I consent to receive communications from Almeida Law Group LLC and their co-counsel by phone call, email, and/or SMS regarding this matter and other potential legal matters. I understand that message and data rates may apply and that consent to such contact is not required for use of these services. Message frequency varies. Reply STOP to opt-out and HELP for help. I also agree to the Privacy Policy. I understand that my information may be shared with advertising partners to deliver targeted advertisements and optimize outreach efforts. I confirm that I am at least 18 years old. I have read and understand the disclaimer above. I agree my use of this site and the information provided here is not intended to create and does not create an attorney client relationship with the Almeida Law Group and/or attorneys employed by the Firm. No attorney client relationship is intended or created unless and until an engagement agreement is signed by all relevant parties. The contents of this site constitute attorney advertising and not legal advice; therefore you should not act or rely upon any information contained herein, and should always seek the advice of an attorney.

Resourceful. Resilient. Relentless.

Contact us today to get the justice you and your family deserve.

Contact us Today