A hacker using the alias “vibecodelegend” is claiming responsibility for breaching Cal AI, a smartphone application that uses artificial intelligence to track calories and nutritional information. The alleged breach was announced on Monday, March 9, 2026, through a post on the cybercrime marketplace BreachForums.
Cal AI has grown rapidly in popularity due to its use of artificial intelligence to help users track calories by analyzing food images and nutritional information. The platform recently attracted further attention after acquiring the widely used fitness app MyFitnessPal, expanding its presence in the health and nutrition tracking market.
It is worth noting that MyFitnessPal itself suffered a massive data breach back in March 2018 when the platform’s previous owner, Under Armour, revealed that hackers stole personal details of over 150 million users.
As for the Cal AI data breach claims, in the forum post, the individual claimed to have obtained and leaked 12 GB of personal data belonging to more than 3 million users of the popular health and fitness app. According to the hacker, the leaked dataset contains a wide range of personal and behavioral information collected by the app. The exposed data allegedly includes dates of birth, names, genders, usernames, social media profiles, PIN codes, subscription details, and physical attributes such as height and weight.
The attacker also claims the database contains over 2.8 million unique email addresses, nearly 1.2 million of which use Apple’s private relay service (@privaterelay.appleid.com), a feature designed to hide users’ real email addresses when signing up for apps.
In addition to personal details, the dataset reportedly includes meal logs and calorie tracking information, such as the times users eat and other nutrition-related data. Because this information shows users’ eating habits and health-related patterns, it could expose sensitive lifestyle details if verified.
Is the Data Authentic? Cal AI Yet to Respond
Hackread.com contacted Cal AI through the company’s press contact page on March 9, 2026, seeking confirmation or clarification regarding the claims. However, no response had been received at the time of publication.
Hackread.com also analysed the data shared by the hacker. While the authenticity of the data and the full extent of the alleged breach have not been independently verified at the time of writing, our analysis shows strong indications that the claims may be credible. However, Cal AI remains the only authority that can officially confirm or deny the incident. If confirmed, the breach could expose a significant amount of personal and behavioral data linked to millions of users.
Hackread.com can also confirm that this data is now being circulated on several Russian-speaking platforms, as well as on Telegram channels infamous for circulating leaked data. Therefore, for now, users of Cal AI are advised to remain cautious of suspicious emails and consider changing passwords associated with accounts that use the same email address until the company confirms whether the breach claims are legitimate.
This article will be updated based on Cal AI’s response. Stay tuned.
