User data linked to the calorie tracking application Cal AI has been exposed online after a threat actor claimed to have breached the service and released a large dataset containing information about its users.
The individual behind the alleged breach posted a message on a cybercrime forum and shared eight files containing about 14.59GB of data. The post claimed the files were taken from Cal AI, an artificial intelligence-based calorie tracking app that analyzes food photos to estimate nutritional information.
According to the threat actor, the dataset contains information tied to more than 3 million users. The exposed records allegedly include email addresses and other personal details connected to user accounts.
Security researchers who reviewed samples of the leaked files said the information appears to contain account and profile-related data. The records reportedly include details such as weight, height, gender, and in some cases dates of birth. The dataset also contains subscription-related information and transaction identifiers associated with paid services.
Additional data described in the files includes user profile information such as usernames, full names, and app achievements. Other records reportedly contain application settings, group information, and limited logs tied to meal tracking activity within the platform.
Researchers said the exposed dataset includes millions of entries across multiple tables. For example, one file reportedly contains more than 3.5 million records linked to user weight data, while another contains more than 3 million entries with subscription and email information.
The threat actor claimed the breach was possible because of an improperly secured backend database. According to the post, the attacker accessed a Google Firebase backend that allegedly allowed certain database tables to be read without authentication.
The attacker also stated that the application does not rely on traditional passwords for login. Instead, the service reportedly uses a four-digit numeric PIN system for authentication. The post alleged that the login endpoint did not implement rate limiting or CAPTCHA protections.
Researchers said the exposed contact information, combined with other personal details, could allow attackers to build detailed profiles of users and conduct targeted social engineering attacks.
The data release also appears to include information tied to younger users. Researchers reviewing the sample files reported finding records belonging to an individual born in 2014, raising concerns about the presence of children’s data in the dataset.
The breach has not been officially confirmed by the company. Researchers said they contacted the developers behind Cal AI to request comment on the claims, but had not received a response at the time of reporting.
Cal AI is a photo-based calorie tracking application that gained popularity through influencer promotions and social media endorsements. The service was recently acquired by fitness platform MyFitnessPal and has been downloaded more than 15 million times.