Cal AI, New Owner of MyFitnessPal, Hit by Alleged Breach of 3 Million Users

The health‑tech sector has long been a prime target for cyber‑criminals, with high‑profile incidents like the 2018 MyFitnessPal breach exposing hundreds of millions of records. As AI becomes integral to nutrition tracking, platforms such as Cal AI collect granular lifestyle data that, if compromised, offers attackers a detailed portrait of users' daily habits. This trend underscores the growing attack surface of AI‑enhanced applications, where the value of stolen data extends beyond basic identifiers to include health‑related insights that can be monetized or weaponized.

According to the alleged BreachForums post, the leaked dataset contains 12 GB of information spanning names, dates of birth, gender, usernames, and over 2.8 million email addresses—nearly half masked by Apple’s private relay service. The inclusion of meal logs, calorie counts, and physical attributes such as height and weight amplifies the sensitivity of the breach, as these details reveal personal health patterns. While Cal AI has not verified the claims, the presence of Apple‑relay emails suggests sophisticated data collection methods that could complicate user identification and remediation efforts.

For Cal AI, the fallout could be multifaceted: immediate reputational damage, potential fines under GDPR or emerging U.S. privacy statutes, and a slowdown in user acquisition as confidence wanes. Industry observers advise affected users to reset passwords, enable two‑factor authentication, and monitor for phishing attempts tied to the exposed credentials. The episode also serves as a cautionary signal for other AI‑driven health platforms to prioritize end‑to‑end encryption, regular security audits, and transparent breach communication strategies to safeguard both data and brand equity.