A hacker dumped 14.59 GB of Cal AI user data on BreachForums on March 9, exposing the health information of over 3.2 million people. The exposed records include dates of birth, body measurements, meal logs with timestamps, and even what time users eat each day. At least one record belongs to a child born in 2014.
The attack vector was embarrassingly basic: a Firebase database with no authentication requirements. Firebase starts secure by default — developers have to actively misconfigure it to leave data publicly readable. Someone at Cal AI did exactly that.
What Got Exposed
The attacker, using the alias “vibecodelegend,” claimed the entire subscription table was readable without credentials. The leaked data includes:
- Full names and email addresses
- Dates of birth and gender
- Physical measurements (height, weight)
- Meal logs with timestamps — when and what you eat
- Exercise goals and macronutrient targets
- PIN codes and subscription details
- Social media profile links
This isn’t just email addresses and hashed passwords. It’s a complete lifestyle profile: what you weigh, what you’re trying to achieve, when you eat breakfast, and how your body is changing over time.
The 2.8 million unique email addresses and 1.2 million Apple private relay addresses confirm this wasn’t a small breach. The data is now circulating on Russian-language platforms and Telegram channels.
A 4-Digit PIN With No Lockout
The Firebase misconfiguration wasn’t Cal AI’s only security failure. The app also relied on 4-digit numeric PINs for authentication — offering less protection than a luggage lock.
With only 10,000 possible combinations and no rate limiting or CAPTCHA on the login endpoint, attackers could brute-force any account in minutes. This wasn’t sophisticated hacking. It was walking through an unlocked door.
Child Data in the Breach
At least one record reportedly belonged to a user born in 2014 — an 11-year-old. That triggers serious compliance violations under both COPPA (Children’s Online Privacy Protection Act) and GDPR, which impose heightened protections for children’s data.
When health apps collect body measurements, eating patterns, and fitness goals from minors, regulators take notice. Cal AI may face penalties beyond the reputational damage of the breach itself.
The MyFitnessPal Connection
Cal AI acquired MyFitnessPal in a deal that should have triggered exhaustive security due diligence. MyFitnessPal already suffered a massive breach in 2018 under Under Armour’s ownership, exposing 150 million accounts.
That earlier breach was mostly usernames and hashed passwords. This one is worse. Body measurements, meal patterns, and health goals create opportunities for social engineering, extortion, and targeted scams that email addresses alone don’t provide.
Acquiring a company with a breach history while running an unauthenticated database is a stunning lapse in security governance. Either the due diligence didn’t happen, or the findings were ignored.
Cal AI’s Response: Silence
As of publication, Cal AI has not responded to press inquiries about the breach. Users haven’t received breach notification emails. The company hasn’t acknowledged the incident publicly.
This silence is itself a compliance problem. GDPR requires breach notification within 72 hours when personal data is compromised. Various US state laws impose similar requirements. Every day without disclosure increases potential penalties.
What You Can Do
If you use Cal AI or have ever used it:
1. Change your PIN and password immediately. If you reused that PIN elsewhere (your phone, other apps), change those too.
2. Check haveibeenpwned.com. See if your email appears in the breach data once it’s indexed.
3. Watch for targeted phishing. Attackers now know your weight goals, eating habits, and email. Expect scam fitness coaching offers, fake supplement deals, or “account verification” attempts.
4. Consider deleting your account. The app has demonstrated fundamental security failures. Your data may already be gone, but limiting future exposure makes sense.
5. Monitor for identity theft. Health data combined with dates of birth and names enables more sophisticated identity fraud. Consider a credit freeze if you’re concerned.
The Bigger Picture
Cal AI isn’t unique. Health and fitness apps collect deeply personal information — often with minimal security and no regulatory oversight. Unlike medical providers bound by HIPAA, these apps operate in a gray zone where your body measurements, eating patterns, and health goals receive no special protection.
The 15 most popular weight control apps collect an average of 13 data types. Many share this information with third-party marketers. Security audits are optional. Breach disclosures are inconsistent.
This breach should make anyone reconsider which apps deserve access to their health data. The convenience of AI-powered calorie tracking comes with a cost: trusting a company to secure information about your body that you’d never share publicly.
Cal AI failed that trust. The question is whether regulators and users will hold them accountable — or move on to the next app making the same promises with the same risks.