Cal AI Faces Alleged Data Breach Claims Exposing 3 Million User Records
Learn More
Cal AI, an artificial intelligence-powered nutrition tracking platform and the new owner of MyFitnessPal, is facing an alleged data breach involving over 3 million users.
The incident surfaced on March 9, 2026, when a threat actor using the alias "vibecodelegend" posted a 12 GB dataset on the BreachForums cybercrime marketplace. Cal AI has not officially confirmed the breach.
The threat actor claims to have stolen the data directly from Cal AI's infrastructure but has not disclosed the vector of attack. Security researchers analyzed the shared samples and found strong indications of authenticity, noting that the data is already circulating on Russian-speaking cybercrime platforms and Telegram channels. The dataset reportedly includes over 2.8 million unique email addresses.
The allegedly compromised data includes:
- Full names and usernames
- Dates of birth and gender
- Social media profiles and PIN codes
- Subscription details
- Physical attributes including height and weight
- Meal logs and calorie tracking timestamps
- 2.8 million unique email addresses (including 1.2 million Apple Private Relay addresses)
Cal AI has not yet issued a public statement or responded to inquiries regarding the legitimacy of the BreachForums post. There is no information that the company has initiated mandatory password resets or notified their user base of the veracity of the hacker claims as of the reporting date.
Because the data is actively being traded and shared, the lack of immediate containment or communication from the organization leaves users at heightened risk of secondary attacks.
