We often get requests from people who’ve lost access to their accounts. In almost all of these cases, these accounts are breached in one of three ways — the password to the account was shared with a third party, the password was weak, or the password was non-unique and was leaked from some other service’s data (“pwned”).

We can’t do much about password sharing, except to tell people “hey, stop doing that.” So please, do not share passwords!

Also, we can’t verify what happens to your data if you use a hacked or otherwise modified client or SDK. We’ve seen many reports of account information being stolen, only to discover the breached account was using a modified client or SDK (or both). In addition to being a violation of the Terms of Service, using a modified client or SDK opens you up to essentially anything that the person writing the software wants to do to your PC — so uh, don’t do that. Not just because it's against the rules, but because we don’t want you to lose your account.

We also see some situations where unofficial sites or apps will ask you for your VRChat login information. Don’t use those sites! Unless you’re entering your information into the official site or application, you have no idea if that data is being logged, saved, or otherwise breached.

As for weak passwords, well, we have to tell people to pick long, complex, memorable, unique passwords that are somehow also easy to enter using a VR keyboard. An almost impossible task, we know, which is why 90% of passwords in our system are just the word dumbledore *.

* this is not true, nor do we have any practical way of testing if it is true, but I bet it’s at least a little true

definitely not the password to the admin page

However, even if your password is reasonably complex, it can still show up in the wild. If, for example, you’ve used that password on a site that’s had a data breach, your password could still be floating around out there, just waiting to betray you.

Is “Pwned” Seriously Still a Thing People Say

Let’s talk about HaveIBeenPwned. HaveIBeenPwned (HIBP) is an online database of cracked passwords*. Many times, when a large data breach occurs — the kind that’ve happened at Yahoo, Adobe, Blizzard, DoorDash, Sony Online Entertainment, and, worst of all, BlueCross BlueShield of Tennessee — user passwords can end up being passed around in a giant torrent of Breached Passwords . Once that happens, hackers will download those giant Breached Password Piles and try them out on loads of different websites with loads of different users.

*technically, HIBP is a database of hashed versions of cracked passwords, which is a detail that’s extremely meaningful to those of you wearing the Security Hat, and extremely boring to the rest of you — it just means that one couldn’t directly use HIBP as an attack vector, because it doesn’t actually store the passwords.

We’ve been seeing more and more of that kind of attack lately, often from huge distributed networks. They usually don’t get far, but they can occasionally hit pay-dirt. This wholesale vandalry must be stopped!