Cal AI, the viral calorie-tracking app endorsed by MrBeast and other influencers, is facing serious data breach allegations.

A hacker claims to have stolen personal records belonging to more than 3 million users. Leaked files are already circulating on dark web forums and Telegram channels.

The app lets users snap a photo of their food to count calories using artificial intelligence. It has been downloaded over 15 million times.

Just one week before the breach surfaced, Cal AI completed its acquisition of MyFitnessPal, the fitness platform that suffered its own massive breach in 2018.

How the Cal AI Data Breach Happened

On March 9, 2026, a hacker going by “vibecodelegend” posted on BreachForums claiming to have extracted roughly 15 GB of data from Cal AI’s backend.

The attacker says they exploited an unauthenticated Google Firebase database, meaning no login credentials were needed to access user records.

According to the hacker, the stolen dataset includes:

• Full names and usernames
• Over 2.8 million unique email addresses
• Dates of birth, genders, heights, and weights
• Social media profiles
• PIN codes and subscription details
• Meal logs, calorie tracking data, and times of day users eat

Security researchers reviewed the samples and confirmed they appear legitimate. One alarming detail: the dataset contains records of a user born in 2014, raising child data protection concerns.

TROYPOINT Tip: Protect your identity and personal info from a data breach by using Aura Identity Theft Protection which is TROYPOINT’s recommended identity theft protection.

Aura Identity Theft Protection Review

Cal AI’s Response

As of publication, Cal AI has not responded to press inquiries about the alleged breach. This silence is concerning given that the company just acquired MyFitnessPal, meaning they now control data from two platforms with a history of security failures.

If you use Cal AI or recently created an account, take action right away. Change passwords on any accounts tied to the same email you used for the app. Enable two-factor authentication wherever possible, and watch for phishing emails that reference your health data.

Final Thoughts

This won’t be the last data breach involving sensitive health information. As more apps collect detailed records about our bodies and daily routines, the target on these platforms only grows.

I recommend checking Have I Been Pwned to see if your email has appeared in this or any other known breach.

For more details on this story, refer to the report from Hackread.

We want to know your thoughts. What do you think about this story? Let us know in the comment section below!

Be sure to stay up-to-date with the latest streaming news, reviews, tips, and more by following the TROYPOINT Advisor with updates weekly.