Alleged Cal AI data breach exposes data of more than 3 million users

A hacker has claimed responsibility for breaching Cal AI, a rapidly growing artificial intelligence–powered calorie-tracking app, and releasing nearly 15 gigabytes of user data online, potentially exposing personal and behavioral information belonging to more than 3 million users. The alleged breach surfaced Monday when a threat actor posted the dataset on a cybercrime forum. The company has not publicly confirmed the incident.

The individual using the alias “vibecodelegend” published a message on the underground marketplace alongside eight compressed files totaling approximately 14.59GB. The files contain millions of records that appear to include email addresses, subscription information and detailed user profiles associated with the Cal AI platform.

The leaked dataset allegedly includes more than 3 million email addresses as well as names, gender, dates of birth, physical attributes such as height and weight, and subscription and transaction records. Additional data fields indicate exercise goals, macronutrient targets, meal logs and behavioral details such as the times of day users typically eat.

Cal AI is a smartphone application that uses artificial intelligence to analyze food images and estimate calorie and nutrition information, allowing users to track dietary intake by photographing meals. The platform gained widespread visibility through influencer promotions and celebrity endorsements and has recorded more than 15 million downloads since launch.

The attacker described the application as insecure and claimed the breach resulted from an exposed backend database associated with Google Firebase. The post alleged that portions of the database could be accessed without authentication, including tables containing subscription information.

The hacker stated that the application does not rely on traditional passwords and instead uses a four-digit numeric PIN for account access. The attacker asserted that the login endpoint lacked rate limiting or CAPTCHA protections, conditions that could increase the risk of automated access attempts.

The released files reportedly include multiple categories of information drawn from the platform’s database. Data tables contain roughly 3.5 million entries related to user weight records and approximately 3.2 million entries tied to user profiles that include gender, goals and physical measurements. Subscription records include around 3 million entries linking user identifiers with email addresses and transaction identifiers.

Additional records contain about 350,000 profile entries with usernames, full names and in-app achievements. Other tables list more than 5 million configuration records tied to application settings. Smaller datasets contain meal logs, group membership information and conversion records linking email addresses to user IDs.

The dataset also reportedly includes behavioral information collected by the application, such as meal-tracking details and nutrition logs. In some instances, sample records show personal details associated with accounts belonging to users born in 2014, raising concerns about potential exposure of data linked to minors.

Contact information combined with other personal attributes could enable attackers to build detailed user profiles that might be used in targeted phishing or social engineering campaigns.

The data archive has been made available for download within illicit online communities and is circulating through various forums and messaging channels that specialize in distributing stolen datasets.

Cal AI recently drew attention after acquiring MyFitnessPal, a widely used fitness and nutrition tracking platform. MyFitnessPal previously experienced a major security incident in 2018 while under the ownership of Under Armour, when attackers obtained personal information belonging to more than 150 million users.